diff --git a/Packs/soc-framework-pov-test/.pack-ignore b/Packs/soc-framework-pov-test/.pack-ignore new file mode 100644 index 0000000..baedbaf --- /dev/null +++ b/Packs/soc-framework-pov-test/.pack-ignore @@ -0,0 +1,7 @@ +[file_ignore_list] +.git +.git/* +images +images/* +documentation +documentation/* diff --git a/Packs/soc-framework-pov-test/.secrets-ignore b/Packs/soc-framework-pov-test/.secrets-ignore new file mode 100644 index 0000000..90ce9ca --- /dev/null +++ b/Packs/soc-framework-pov-test/.secrets-ignore @@ -0,0 +1 @@ +# secrets-ignore diff --git a/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/README.md b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/README.md new file mode 100644 index 0000000..fabd475 --- /dev/null +++ b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/README.md @@ -0,0 +1,28 @@ +# SOCFWPoVSender + +Sends PoV attack scenario event data from XSIAM lists to an XSIAM HTTP Collector endpoint. + +Configure one instance per data source. Run `!socfw-pov-send-data` from any case war room or the playground. + +## Commands + +### socfw-pov-send-data + +Reads scenario events from an XSIAM list, rebases timestamps to now, normalizes source-specific fields, rotates suppression IDs, and POSTs to the configured HTTP Collector. + +**Arguments:** + +| Argument | Required | Description | +|---|---|---| +| `list_name` | Yes | XSIAM list containing scenario event data (JSON array) | +| `global_min` | No | ISO timestamp of earliest event across all sources in this scenario | +| `global_max` | No | ISO timestamp of latest event across all sources in this scenario | +| `compress_window` | No | Override compress window (e.g. `2h`, `30m`). Default: instance setting | + +**Example:** + +``` +!socfw-pov-send-data list_name=SOCFWPoVData_CrowdStrike_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + using=socfw_pov_crowdstrike_sender +``` diff --git a/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.py b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.py new file mode 100644 index 0000000..cab2b2e --- /dev/null +++ b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.py @@ -0,0 +1,93 @@ +import demistomock as demisto # type: ignore +from CommonServerPython import * # type: ignore + +import json +import urllib.request +import urllib.error + + +def _get_api_key(params: dict) -> str: + """Type 4 credential params return either a plain string or {'password': '...'}.""" + val = params.get("api_key", "") + if isinstance(val, dict): + return val.get("password", "") + return str(val or "").strip() + + +def test_module_command(params: dict) -> str: + url = (params.get("url") or "").strip() + api_key = _get_api_key(params) + source = (params.get("source_name") or "").strip() + if not url: + return "Configuration error: HTTP Collector URL is required." + if not api_key: + return "Configuration error: API Key is required." + if not source: + return "Configuration error: Source Name is required (e.g. crowdstrike or proofpoint)." + return "ok" + + +def send_data_command(params: dict, args: dict) -> CommandResults: + """ + Receives pre-processed events as a JSON string from SOCFWPoVSend script + and POSTs to the configured HTTP Collector endpoint as NDJSON. + All normalization and timestamp rebasing is done in the script layer. + """ + url = (params.get("url") or "").rstrip("/") + api_key = _get_api_key(params) + + json_arg = args.get("JSON", "") + if not json_arg: + raise ValueError("JSON argument is required.") + + events = json.loads(json_arg) + if not isinstance(events, list): + events = [events] + + if not events: + return CommandResults(readable_output="No events to send.") + + # XSIAM HTTP Collector expects newline-delimited JSON (NDJSON) + body = "\n".join(json.dumps(ev) for ev in events).encode("utf-8") + + headers = { + "Content-Type": "application/json", + "Authorization": api_key, + } + + req = urllib.request.Request(url, data=body, headers=headers, method="POST") + try: + with urllib.request.urlopen(req, timeout=30) as resp: + status = resp.getcode() + if status not in (200, 204): + raise ValueError(f"HTTP {status} from collector") + except urllib.error.HTTPError as e: + raise ValueError(f"HTTP {e.code} from collector: {e.reason}") + except urllib.error.URLError as e: + raise ValueError(f"URL error: {e.reason}") + + return CommandResults( + readable_output=f"SOCFWPoVSender: {len(events)} events sent to {url}" + ) + + +def main() -> None: + params = demisto.params() + command = demisto.command() + args = demisto.args() + + demisto.debug(f"SOCFWPoVSender: command={command}") + + try: + if command == "test-module": + return_results(test_module_command(params)) + elif command == "socfw-pov-send-data": + return_results(send_data_command(params, args)) + else: + raise NotImplementedError(f"Command '{command}' is not implemented.") + except Exception as e: + return_error(f"SOCFWPoVSender error [{command}]: {str(e)}") + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.yml b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.yml new file mode 100644 index 0000000..9ce65d2 --- /dev/null +++ b/Packs/soc-framework-pov-test/Integrations/SOCFWPoVSender/SOCFWPoVSender.yml @@ -0,0 +1,72 @@ +commonfields: + id: SOCFWPoVSender + version: -1 +name: SOCFWPoVSender +display: SOC Framework PoV Sender +category: Utilities +description: |- + Thin HTTP POST wrapper for the SOC Framework PoV Test pack. + Receives pre-processed events from the SOCFWPoVSend script and + posts them as NDJSON to the configured HTTP Collector endpoint. + All list reading, normalization, and timestamp rebasing is handled + by the SOCFWPoVSend script — this integration only stores credentials + and performs the HTTP POST. +configuration: + - name: url + display: HTTP Collector URL + required: true + type: 0 + section: Connect + additionalinfo: |- + Full URL of the XSIAM HTTP Collector endpoint for this data source. + Found in Settings → Data Sources → [your collector] → Connection Details. + + - name: api_key + display: API Key + required: true + type: 4 + section: Connect + additionalinfo: HTTP Collector API key for this data source. + + - name: source_name + display: Source Name + required: true + type: 0 + defaultvalue: crowdstrike + section: Connect + additionalinfo: |- + Source type label for logging. e.g. crowdstrike, proofpoint. + + - name: insecure + display: Trust any certificate (not secure) + required: false + type: 8 + section: Connect + advanced: true + + - name: proxy + display: Use system proxy settings + required: false + type: 8 + section: Connect + advanced: true + +script: + script: '' + type: python + subtype: python3 + dockerimage: demisto/python3:3.10.14.100715 + commands: + - name: socfw-pov-send-data + description: |- + Accepts pre-processed events as a JSON string and posts them as + NDJSON to the configured HTTP Collector. Called by the SOCFWPoVSend + script — do not call directly. + arguments: + - name: JSON + required: true + description: JSON array of events to send (pre-processed by SOCFWPoVSend script). + outputs: [] +fromversion: 8.0.0 +tests: + - No tests diff --git a/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1.json b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1.json new file mode 100644 index 0000000..8f690a9 --- /dev/null +++ b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1.json @@ -0,0 +1,20 @@ +{ + "allRead": true, + "allReadWrite": false, + "dbotCreated": false, + "description": "Turla Carbon scenario — CrowdStrike Falcon endpoint detection events from BYOS MITRE lab execution (December 2025). 138 events covering Execution, Command and Control, Lateral Movement, and Ingress Tool Transfer tactics across hosts hobgoblin and bannik. Used by SOCFWPoVSender to replay the EDR leg of the Turla Carbon attack chain.", + "fromVersion": "6.5.0", + "id": "SOCFWPoVData_CrowdStrike_TurlaCarbon_V1", + "itemVersion": "", + "locked": false, + "name": "SOCFWPoVData_CrowdStrike_TurlaCarbon_V1", + "display_name": "SOCFWPoVData_CrowdStrike_TurlaCarbon_V1", + "packID": "soc-framework-pov-test", + "propagationLabels": ["all"], + "system": false, + "tags": [], + "toVersion": "", + "truncated": false, + "type": "json", + "version": -1 +} diff --git a/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1_data.json b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1_data.json new file mode 100644 index 0000000..65d4cc8 --- /dev/null +++ b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1/SOCFWPoVData_CrowdStrike_TurlaCarbon_V1_data.json @@ -0,0 +1,71246 @@ +[ + { + "_time": "Dec 04 2025 11:07:50", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "w8pTU41marB46OFfw8rygA==:0:61:140", + "_insert_time": "Dec 04 2025 11:08:46", + "_name": "GenericStandardAppLayerProtocolC2", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "confidence": 80, + "context_timestamp": "Dec 04 2025 11:06:46", + "crawled_timestamp": "2025-12-04T17:07:48.698561141Z", + "created_timestamp": "2025-12-04T17:07:48.698553608Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "display_name": "StandardAppLayerProtocolC2", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "occurred": "Dec 04 2025 11:07:48", + "pattern_id": 10352, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxduXQd1OO4JfVeMIZwiHO3AAATiEoe84F9jF7dHoQfsrJo_KypOpuwinrA-Upp1yYybq1NQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33285871960", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33240296421", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33260052529", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270040597", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33268729853", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270579522", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253813395", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33244439664", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33238626371", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253364652", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33236641945", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33254863292", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33237259668", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33243018844", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33344914287" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "confidence": 80, + "context_timestamp": "2025-12-04T17:06:46.250Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-04T17:07:48.698561141Z", + "created_timestamp": "2025-12-04T17:07:48.698553608Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:04:04Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:05:08Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StandardAppLayerProtocolC2", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867824", + "request_type": "AAAA" + } + ], + "email_sent": true, + "event_correlation_id": "3722c69b-33d1-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "EdgeEDropSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeEDrop", + "timestamp": "1764867689" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "EdgeJourneys.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeJourneys", + "timestamp": "1764867691" + }, + { + "filename": "EdgeHubAppUsageSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeHubAppUsage", + "timestamp": "1764867691" + }, + { + "filename": "heavy_ad_intervention_opt_out.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default", + "timestamp": "1764867691" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.21", + "timestamp": "1764867692" + }, + { + "filename": "first_party_sets.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data", + "timestamp": "1764867693" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "9860", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "GenericStandardAppLayerProtocolC2", + "network_accesses": [ + { + "access_timestamp": "1764867823", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "65234", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10108", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "process_id": "33138861721", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T17:01:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "33138861721", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10352, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxduXQd1OO4JfVeMIZwiHO3AAATiEoe84F9jF7dHoQfsrJo_KypOpuwinrA-Upp1yYybq1NQ==", + "priority_details": { + "raw_value": 61 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 61, + "process_id": "33235432076", + "process_start_time": "1764867688", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "template_instance_id": "15673", + "timestamp": "2025-12-04T17:06:46.689Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33235432076", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:07:50.013721938Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 11:06:46", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:07:50.013721938Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:04:04Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:05:08Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10352-20247568", + "local_prevalence": "common", + "local_process_id": 9860, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 61 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 61, + "process_id": 33235432076, + "process_start_time": 1764867688, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33235432076", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "3722c69b-33d1-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 33138861721, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10108", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "process_id": "33138861721", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T17:01:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33285871960", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33240296421", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33260052529", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270040597", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33268729853", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270579522", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253813395", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33244439664", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33238626371", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253364652", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33236641945", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33254863292", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33237259668", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33243018844", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33344914287" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": 15673, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764867823", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "65234", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "EdgeEDropSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeEDrop", + "timestamp": "1764867689" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "EdgeJourneys.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeJourneys", + "timestamp": "1764867691" + }, + { + "filename": "EdgeHubAppUsageSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeHubAppUsage", + "timestamp": "1764867691" + }, + { + "filename": "heavy_ad_intervention_opt_out.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default", + "timestamp": "1764867691" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.21", + "timestamp": "1764867692" + }, + { + "filename": "first_party_sets.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data", + "timestamp": "1764867693" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867824", + "request_type": "AAAA" + } + ], + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 11:04:41", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "0R7KDNrZaD6PZRu9UC5VLw==:0:61:140", + "_insert_time": "Dec 04 2025 11:04:47", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "confidence": 80, + "context_timestamp": "Dec 04 2025 11:03:36", + "crawled_timestamp": "2025-12-04T17:04:39.912525683Z", + "created_timestamp": "2025-12-04T17:04:39.912513284Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "occurred": "Dec 04 2025 11:04:39", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxfBwviZVqBNoAg8xqAK3xPQAATiG1YojaQgHaGdNrelvDjuVb_dkN_ZJr0zdaRrR5eKoScg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33236641945", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33238626371", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33240296421", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33237259668", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33243018844", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33244439664", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253364652", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33254863292", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253813395", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33260052529", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270579522", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270040597", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33268729853", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33285871960", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33344914287" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "confidence": 80, + "context_timestamp": "2025-12-04T17:03:36.935Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-04T17:04:39.912525683Z", + "created_timestamp": "2025-12-04T17:04:39.912513284Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:04:04Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:04:10Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867824", + "request_type": "AAAA" + } + ], + "email_sent": true, + "event_correlation_id": "64dbf5d5-32d1-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "EdgeEDropSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeEDrop", + "timestamp": "1764867689" + }, + { + "filename": "heavy_ad_intervention_opt_out.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default", + "timestamp": "1764867691" + }, + { + "filename": "EdgeJourneys.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeJourneys", + "timestamp": "1764867691" + }, + { + "filename": "EdgeHubAppUsageSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeHubAppUsage", + "timestamp": "1764867691" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.21", + "timestamp": "1764867692" + }, + { + "filename": "first_party_sets.db-journal", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data", + "timestamp": "1764867693" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "9860", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "network_accesses": [ + { + "access_timestamp": "1764867823", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "65234", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10108", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "process_id": "33138861721", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T17:01:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "33138861721", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxfBwviZVqBNoAg8xqAK3xPQAATiG1YojaQgHaGdNrelvDjuVb_dkN_ZJr0zdaRrR5eKoScg==", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": "33235432076", + "process_start_time": "1764867688", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13395", + "timestamp": "2025-12-04T17:03:37.85Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33235432076", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:04:41.208177497Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 11:03:37", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:04:41.208177497Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:04:04Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:04:10Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33235432076-10136-19668496", + "local_prevalence": "common", + "local_process_id": 9860, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": 33235432076, + "process_start_time": 1764867688, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33235432076", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "64dbf5d5-32d1-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 33138861721, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10108", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "process_id": "33138861721", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T17:01:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33236641945", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33238626371", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33240296421", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33237259668", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33243018844", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33244439664", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253364652", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33254863292", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33253813395", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33260052529", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270579522", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33270040597", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33268729853", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33285871960", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33344914287" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": 13395, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764867823", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "65234", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867689" + }, + { + "filename": "content.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867689" + }, + { + "filename": "EdgeEDropSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeEDrop", + "timestamp": "1764867689" + }, + { + "filename": "heavy_ad_intervention_opt_out.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default", + "timestamp": "1764867691" + }, + { + "filename": "EdgeJourneys.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeJourneys", + "timestamp": "1764867691" + }, + { + "filename": "EdgeHubAppUsageSQLite.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\EdgeHubAppUsage", + "timestamp": "1764867691" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.21", + "timestamp": "1764867692" + }, + { + "filename": "first_party_sets.db-journal", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data", + "timestamp": "1764867693" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867824", + "request_type": "AAAA" + } + ], + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 10:55:50", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "kRUR0VfT1qIthQ/AaXvXig==:0:61:140", + "_insert_time": "Dec 04 2025 10:57:23", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "confidence": 80, + "context_timestamp": "Dec 04 2025 10:54:41", + "crawled_timestamp": "2025-12-04T16:55:44.258271494Z", + "created_timestamp": "2025-12-04T16:55:44.258264868Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "occurred": "Dec 04 2025 10:55:44", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7MidGRbrJb7-2lC7MRlGxgAATiH5eOoVZIcVxQIiuefDu9tTOPIM77dq1uAVQj4R2Hobjw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33140675063", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33142376304", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33143446578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33141809565", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33149575060", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33152119551", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33150086708", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33151583989", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33154365318", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33155554613", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33159017721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33160232656", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33159432622", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33168517166" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "confidence": 80, + "context_timestamp": "2025-12-04T16:54:41.816Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-04T16:55:44.258271494Z", + "created_timestamp": "2025-12-04T16:55:44.258264868Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T16:50:10Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T16:53:12Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867283", + "request_type": "AAAA" + } + ], + "email_sent": true, + "event_correlation_id": "b406ee2a-31d1-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "edge_tracking_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "shopping.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867209" + }, + { + "filename": "shopping_iframe_driver.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "shopping.html", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867209" + }, + { + "filename": "shopping_fre.html", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "edge_confirmation_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.20", + "timestamp": "1764867209" + }, + { + "filename": "edge_checkout_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "10108", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "network_accesses": [ + { + "access_timestamp": "1764867282", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "64912", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30311220886", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7MidGRbrJb7-2lC7MRlGxgAATiH5eOoVZIcVxQIiuefDu9tTOPIM77dq1uAVQj4R2Hobjw==", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": "33138861721", + "process_start_time": "1764867206", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13395", + "timestamp": "2025-12-04T16:54:42.548Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "type": "ldt", + "updated_timestamp": "2025-12-04T16:55:50.584501542Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 10:54:42", + "type": "ldt", + "updated_timestamp": "2025-12-04T16:55:50.584501542Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T16:50:10Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T16:53:12Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33138861721-10136-19298064", + "local_prevalence": "common", + "local_process_id": 10108, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": 33138861721, + "process_start_time": 1764867206, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33138861721", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "b406ee2a-31d1-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 30311220886, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "5124", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "process_id": "30311220886", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-04T16:53:36Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:33140675063", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33142376304", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33143446578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33141809565", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33149575060", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33152119551", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33150086708", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33151583989", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33154365318", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33155554613", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33159017721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33160232656", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33159432622", + "pid:87ef612d8acd4f6897cc9eb253469ee4:33168517166" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": 13395, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764867282", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "64912", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "edge_tracking_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "shopping.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764867209" + }, + { + "filename": "shopping_iframe_driver.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "shopping.html", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "content_new.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Extensions\\jmjflgjpcpepeafmmgdpfkogkghcpiha\\1.2.1_0", + "timestamp": "1764867209" + }, + { + "filename": "shopping_fre.html", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "edge_confirmation_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + }, + { + "filename": "data.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\EADPData Component\\4.0.3.20", + "timestamp": "1764867209" + }, + { + "filename": "edge_checkout_page_validator.js", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Edge Shopping\\2.1.88.0", + "timestamp": "1764867209" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": [ + { + "domain_name": "prendre-des-vacances.fr", + "interface_index": "0", + "load_time": "1764867283", + "request_type": "AAAA" + } + ], + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 06:01:09", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xVjHTmodaqowKX3aum+JJQ==:0:61:140", + "_insert_time": "Dec 04 2025 06:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "confidence": 80, + "context_timestamp": "Dec 04 2025 06:00:01", + "crawled_timestamp": "2025-12-04T12:01:04.235403701Z", + "created_timestamp": "2025-12-04T12:01:04.235397225Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "occurred": "Dec 04 2025 06:01:04", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1RLrAKbfkml7FZ1dYen4gwAATiEqHYYf4cQjncMDCtb_cP1AK8KbVaBBSitOpSZke5Mmfg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32912083629" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "confidence": 80, + "context_timestamp": "2025-12-04T12:00:01.402Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "crawled_timestamp": "2025-12-04T12:01:04.235403701Z", + "created_timestamp": "2025-12-04T12:01:04.235397225Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T11:29:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T12:00:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "bb968171-04d1-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "6952", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1RLrAKbfkml7FZ1dYen4gwAATiEqHYYf4cQjncMDCtb_cP1AK8KbVaBBSitOpSZke5Mmfg==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764849601", + "process_id": "32911190089", + "process_start_time": "1764849600", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-04T12:00:01.644Z", + "tree_id": "17204270122", + "tree_root": "32911190089", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32911190089", + "type": "ldt", + "updated_timestamp": "2025-12-04T12:01:09.560787817Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 06:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T12:01:09.560787817Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T11:29:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T12:00:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-10292-103341840", + "local_prevalence": "low", + "local_process_id": 6952, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 32911190089, + "process_start_time": 1764849600, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17204270122, + "tree_root": 32911190089, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32911190089", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "bb968171-04d1-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32912083629" + ], + "process_end_time": 1764849601, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 18:01:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "59AO2f9hFd9qfeidU6lf2Q==:1:61:140", + "_insert_time": "Dec 03 2025 18:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "confidence": 80, + "context_timestamp": "Dec 03 2025 18:00:01", + "crawled_timestamp": "2025-12-04T00:01:06.029682574Z", + "created_timestamp": "2025-12-04T00:01:06.029675385Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "occurred": "Dec 03 2025 18:01:06", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxN4WUdp2jrq5Vt8nAHQUlEwAATiHXR5ZqoKmM4LEqZ_GiZ1Ze65CFZJJc6iNX-XFO_ns-7w==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32485962962" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "confidence": 80, + "context_timestamp": "2025-12-04T00:00:01.095Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "crawled_timestamp": "2025-12-04T00:01:06.029682574Z", + "created_timestamp": "2025-12-04T00:01:06.029675385Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T23:54:03Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T00:00:30Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "78841689-a3d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "8808", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxN4WUdp2jrq5Vt8nAHQUlEwAATiHXR5ZqoKmM4LEqZ_GiZ1Ze65CFZJJc6iNX-XFO_ns-7w==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764806401", + "process_id": "32485821327", + "process_start_time": "1764806400", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-04T00:00:01.243Z", + "tree_id": "17201987274", + "tree_root": "32485821327", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32485821327", + "type": "ldt", + "updated_timestamp": "2025-12-04T00:01:07.595490616Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 18:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T00:01:07.595490616Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T23:54:03Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T00:00:30Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-10292-74536464", + "local_prevalence": "low", + "local_process_id": 8808, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 32485821327, + "process_start_time": 1764806400, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17201987274, + "tree_root": 32485821327, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32485821327", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "78841689-a3d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32485962962" + ], + "process_end_time": 1764806401, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 00:01:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "KCI9MCLMy0iXp6Rnmt500A==:0:61:140", + "_insert_time": "Dec 04 2025 00:01:47", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "confidence": 80, + "context_timestamp": "Dec 04 2025 00:00:01", + "crawled_timestamp": "2025-12-04T06:01:03.748483679Z", + "created_timestamp": "2025-12-04T06:01:03.748476401Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "occurred": "Dec 04 2025 00:01:03", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjBmGLMCGe1UnHJkHdYO3LQAATiEluQpQqs1fY7ulaQj_mmSR00WUMhT-SVnDVXLzZ5Ilfg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32701959654" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "confidence": 80, + "context_timestamp": "2025-12-04T06:00:01.064Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "crawled_timestamp": "2025-12-04T06:01:03.748483679Z", + "created_timestamp": "2025-12-04T06:01:03.748476401Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T05:44:04Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T06:00:58Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "736182a9-d3d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "4696", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjBmGLMCGe1UnHJkHdYO3LQAATiEluQpQqs1fY7ulaQj_mmSR00WUMhT-SVnDVXLzZ5Ilfg==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764828001", + "process_id": "32701182657", + "process_start_time": "1764828000", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-04T06:00:01.346Z", + "tree_id": "17203662921", + "tree_root": "32701182657", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32701182657", + "type": "ldt", + "updated_timestamp": "2025-12-04T06:01:05.544648414Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 00:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T06:01:05.544648414Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T05:44:04Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T06:00:58Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-10292-88964368", + "local_prevalence": "low", + "local_process_id": 4696, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 32701182657, + "process_start_time": 1764828000, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17203662921, + "tree_root": 32701182657, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32701182657", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "736182a9-d3d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32701959654" + ], + "process_end_time": 1764828001, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 00:01:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "KCI9MCLMy0iXp6Rnmt500A==:1:61:140", + "_insert_time": "Dec 04 2025 00:01:47", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "confidence": 70, + "context_timestamp": "Dec 04 2025 00:00:01", + "crawled_timestamp": "2025-12-04T06:01:03.765486816Z", + "created_timestamp": "2025-12-04T06:01:03.765478549Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "occurred": "Dec 04 2025 00:01:03", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx24ZLsXxp0z9gGSf5AFIXkQAATiGUk_oyP6Q7Vn7hIeSy4dKAMx_ujO60plbhoxaZFlBAZA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32701959654" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "confidence": 70, + "context_timestamp": "2025-12-04T06:00:01.064Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "crawled_timestamp": "2025-12-04T06:01:03.765486816Z", + "created_timestamp": "2025-12-04T06:01:03.765478549Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T05:44:04Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T06:00:58Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "716182a9-d3d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "4696", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx24ZLsXxp0z9gGSf5AFIXkQAATiGUk_oyP6Q7Vn7hIeSy4dKAMx_ujO60plbhoxaZFlBAZA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764828001", + "process_id": "32701182657", + "process_start_time": "1764828000", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-04T06:00:01.346Z", + "tree_id": "17203662921", + "tree_root": "32701182657", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32701182657", + "type": "ldt", + "updated_timestamp": "2025-12-04T06:01:05.538689655Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 00:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T06:01:05.538689655Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17203662921", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T05:44:04Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T06:00:58Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32701182657-5708-88963856", + "local_prevalence": "low", + "local_process_id": 4696, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 32701182657, + "process_start_time": 1764828000, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17203662921, + "tree_root": 32701182657, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32701182657", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "716182a9-d3d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32701959654" + ], + "process_end_time": 1764828001, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 06:01:09", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xVjHTmodaqowKX3aum+JJQ==:1:61:140", + "_insert_time": "Dec 04 2025 06:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "confidence": 70, + "context_timestamp": "Dec 04 2025 06:00:01", + "crawled_timestamp": "2025-12-04T12:01:04.236441862Z", + "created_timestamp": "2025-12-04T12:01:04.236437166Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "occurred": "Dec 04 2025 06:01:04", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxHpt6B1hS3uuKQrQPL_srAAATiFsidL5CREtGVAN6nHAql8LVGH_0nhB8rrgx7fMTxaZFQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32912083629" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "confidence": 70, + "context_timestamp": "2025-12-04T12:00:01.402Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "crawled_timestamp": "2025-12-04T12:01:04.236441862Z", + "created_timestamp": "2025-12-04T12:01:04.236437166Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T11:29:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T12:00:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "b7968171-04d1-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "6952", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxHpt6B1hS3uuKQrQPL_srAAATiFsidL5CREtGVAN6nHAql8LVGH_0nhB8rrgx7fMTxaZFQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764849601", + "process_id": "32911190089", + "process_start_time": "1764849600", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-04T12:00:01.644Z", + "tree_id": "17204270122", + "tree_root": "32911190089", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32911190089", + "type": "ldt", + "updated_timestamp": "2025-12-04T12:01:09.333909146Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 06:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T12:01:09.333909146Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17204270122", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T11:29:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T12:00:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32911190089-5708-103341072", + "local_prevalence": "low", + "local_process_id": 6952, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 32911190089, + "process_start_time": 1764849600, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17204270122, + "tree_root": 32911190089, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32911190089", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b7968171-04d1-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32912083629" + ], + "process_end_time": 1764849601, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 18:01:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "59AO2f9hFd9qfeidU6lf2Q==:0:61:140", + "_insert_time": "Dec 03 2025 18:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "confidence": 70, + "context_timestamp": "Dec 03 2025 18:00:01", + "crawled_timestamp": "2025-12-04T00:01:06.019483013Z", + "created_timestamp": "2025-12-04T00:01:06.019472059Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "occurred": "Dec 03 2025 18:01:06", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHSZt6SZNi3TojsugJu4CygAATiHCFYV78-VSk5qAg2Ki22n3mHdyg25lNTPmwEFUwIG9yQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32485962962" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "confidence": 70, + "context_timestamp": "2025-12-04T00:00:01.111Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "crawled_timestamp": "2025-12-04T00:01:06.019483013Z", + "created_timestamp": "2025-12-04T00:01:06.019472059Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T23:54:03Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T00:00:30Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "7f841689-a3d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "8808", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHSZt6SZNi3TojsugJu4CygAATiHCFYV78-VSk5qAg2Ki22n3mHdyg25lNTPmwEFUwIG9yQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764806401", + "process_id": "32485821327", + "process_start_time": "1764806400", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-04T00:00:01.244Z", + "tree_id": "17201987274", + "tree_root": "32485821327", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32485821327", + "type": "ldt", + "updated_timestamp": "2025-12-04T00:01:07.594541712Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 18:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T00:01:07.594541712Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201987274", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T23:54:03Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T00:00:30Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32485821327-5708-74537488", + "local_prevalence": "low", + "local_process_id": 8808, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 32485821327, + "process_start_time": 1764806400, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17201987274, + "tree_root": 32485821327, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32485821327", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "7f841689-a3d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32485962962" + ], + "process_end_time": 1764806401, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 11:22:47", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "jLP863AkuUsMTzkuuHoIjA==:0:61:140", + "_insert_time": "Dec 04 2025 11:23:46", + "_name": "EICARTestFileWrittenWin", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "confidence": 80, + "context_timestamp": "Dec 04 2025 11:21:39", + "crawled_timestamp": "2025-12-04T17:22:42.86053346Z", + "created_timestamp": "2025-12-04T17:22:42.860524136Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "display_name": "EICARTestFileWrittenWin", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10418, + "tactic_id": "TA0002", + "technique_id": "T1204", + "tactic": "Execution", + "technique": "User Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "occurred": "Dec 04 2025 11:22:42", + "pattern_id": 10418, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-HkJT3IeiefWlJoUF8QMXwAATiF8C8UCuv0SFXYVyUHrLAqpdy8YOTmqDkHpM1DXZbLEkg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --metrics-shmem-handle=3608,i,12308220912622825167,13156181753990439102,524288 --field-trial-handle=2000,i,12160573582351297337,15300254112198967591,262144 --variations-seed-version=20251204-010024.775000 --trace-process-track-uuid=3190709112812521109 --mojo-platform-channel-handle=8984 /prefetch:8", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "confidence": 80, + "context_timestamp": "2025-12-04T17:21:39.722Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "crawled_timestamp": "2025-12-04T17:22:42.86053346Z", + "created_timestamp": "2025-12-04T17:22:42.860524136Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:22:11Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:22:13Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "EICARTestFileWrittenWin", + "email_sent": true, + "event_correlation_id": "2276f05a-34d1-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "files_accessed": [ + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868897" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868897" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868897" + }, + { + "filename": "IconCache.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local", + "timestamp": "1764868897" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868897" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868898" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868898" + }, + { + "filename": "eicar.com.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764868900" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8632", + "logon_domain": "SKT", + "md5": "acd3e2d7c77985f58069764b87afc435", + "mitre_attack": [ + { + "pattern_id": 10418, + "tactic_id": "TA0002", + "technique_id": "T1204", + "tactic": "Execution", + "technique": "User Execution" + } + ], + "name": "EICARTestFileWrittenWin", + "objective": "Follow Through", + "parent_details": { + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --from-installer", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "local_process_id": "6888", + "md5": "acd3e2d7c77985f58069764b87afc435", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33278624073", + "process_id": "33278624073", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "timestamp": "2025-12-04T17:03:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "33278624073", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10418, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-HkJT3IeiefWlJoUF8QMXwAATiF8C8UCuv0SFXYVyUHrLAqpdy8YOTmqDkHpM1DXZbLEkg==", + "priority_details": { + "raw_value": 10 + }, + "priority_explanation": [ + "[MOD] The severity of the detection: Informational" + ], + "priority_value": 10, + "process_end_time": "1764868910", + "process_id": "33555183721", + "process_start_time": "1764868896", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 10, + "severity_name": "Informational", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "User Execution", + "technique_id": "T1204", + "template_instance_id": "7919", + "timestamp": "2025-12-04T17:21:40.912Z", + "tree_id": "8596513285", + "tree_root": "30269430413", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33555183721", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:22:47.741099423Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 10, + "severity_name": "Informational", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 11:21:40", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:22:47.741099423Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "User Execution", + "technique_id": "T1204", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --metrics-shmem-handle=3608,i,12308220912622825167,13156181753990439102,524288 --field-trial-handle=2000,i,12160573582351297337,15300254112198967591,262144 --variations-seed-version=20251204-010024.775000 --trace-process-track-uuid=3190709112812521109 --mojo-platform-channel-handle=8984 /prefetch:8", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:22:11Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:22:13Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33555183721-10418-20615440", + "local_prevalence": "unique", + "local_process_id": 8632, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 10 + }, + "priority_explanation": [ + "[MOD] The severity of the detection: Informational" + ], + "priority_value": 10, + "process_id": 33555183721, + "process_start_time": 1764868896, + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "tree_id": 8596513285, + "tree_root": 30269430413, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33555183721", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "2276f05a-34d1-f011-9bde-000d3a1e5143", + "md5": "acd3e2d7c77985f58069764b87afc435", + "alleged_filetype": "exe", + "parent_process_id": 33278624073, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --from-installer", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "local_process_id": "6888", + "md5": "acd3e2d7c77985f58069764b87afc435", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33278624073", + "process_id": "33278624073", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "timestamp": "2025-12-04T17:03:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": "", + "process_end_time": 1764868910, + "incident": "", + "template_instance_id": 7919, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868897" + }, + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868897" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868897" + }, + { + "filename": "IconCache.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local", + "timestamp": "1764868897" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868897" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868898" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868898" + }, + { + "filename": "eicar.com.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764868900" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 11:22:50", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "jLP863AkuUsMTzkuuHoIjA==:1:61:140", + "_insert_time": "Dec 04 2025 11:23:46", + "_name": "EICARTestFileWrittenWin", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "confidence": 80, + "context_timestamp": "Dec 04 2025 11:21:46", + "crawled_timestamp": "2025-12-04T17:22:49.544058274Z", + "created_timestamp": "2025-12-04T17:22:49.544052979Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "display_name": "EICARTestFileWrittenWin", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10418, + "tactic_id": "TA0002", + "technique_id": "T1204", + "tactic": "Execution", + "technique": "User Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "occurred": "Dec 04 2025 11:22:49", + "pattern_id": 10418, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxQHjzy3RZGd--gkuyrc33XQAATiFUwlKtM6aBAnBH0IvytHYCdy8lwIGus0iki4s6LWCoMw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --metrics-shmem-handle=8380,i,15337769941488956914,10111423245113856094,524288 --field-trial-handle=2000,i,12160573582351297337,15300254112198967591,262144 --variations-seed-version=20251204-010024.775000 --trace-process-track-uuid=3190709114686604807 --mojo-platform-channel-handle=6708 /prefetch:8", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "confidence": 80, + "context_timestamp": "2025-12-04T17:21:46.485Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "crawled_timestamp": "2025-12-04T17:22:49.544058274Z", + "created_timestamp": "2025-12-04T17:22:49.544052979Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:22:11Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:22:13Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "EICARTestFileWrittenWin", + "email_sent": true, + "event_correlation_id": "6a77f05a-34d1-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "files_accessed": [ + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868904" + }, + { + "filename": "IconCache.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local", + "timestamp": "1764868904" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868905" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868905" + }, + { + "filename": "eicar_com.zip", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764868907" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "1544", + "logon_domain": "SKT", + "md5": "acd3e2d7c77985f58069764b87afc435", + "mitre_attack": [ + { + "pattern_id": 10418, + "tactic_id": "TA0002", + "technique_id": "T1204", + "tactic": "Execution", + "technique": "User Execution" + } + ], + "name": "EICARTestFileWrittenWin", + "objective": "Follow Through", + "parent_details": { + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --from-installer", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "local_process_id": "6888", + "md5": "acd3e2d7c77985f58069764b87afc435", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33278624073", + "process_id": "33278624073", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "timestamp": "2025-12-04T17:03:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "33278624073", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10418, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxQHjzy3RZGd--gkuyrc33XQAATiFUwlKtM6aBAnBH0IvytHYCdy8lwIGus0iki4s6LWCoMw==", + "priority_details": { + "raw_value": 10 + }, + "priority_explanation": [ + "[MOD] The severity of the detection: Informational" + ], + "priority_value": 10, + "process_end_time": "1764868917", + "process_id": "33556569721", + "process_start_time": "1764868903", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 10, + "severity_name": "Informational", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "User Execution", + "technique_id": "T1204", + "template_instance_id": "7919", + "timestamp": "2025-12-04T17:21:47.586Z", + "tree_id": "8596513285", + "tree_root": "30269430413", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33556569721", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:22:50.832513342Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 10, + "severity_name": "Informational", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 11:21:47", + "type": "ldt", + "updated_timestamp": "2025-12-04T17:22:50.832513342Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "User Execution", + "technique_id": "T1204", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --metrics-shmem-handle=8380,i,15337769941488956914,10111423245113856094,524288 --field-trial-handle=2000,i,12160573582351297337,15300254112198967591,262144 --variations-seed-version=20251204-010024.775000 --trace-process-track-uuid=3190709114686604807 --mojo-platform-channel-handle=6708 /prefetch:8", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-04T17:22:11Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:22:13Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:33556569721-10418-20623888", + "local_prevalence": "unique", + "local_process_id": 1544, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 10 + }, + "priority_explanation": [ + "[MOD] The severity of the detection: Informational" + ], + "priority_value": 10, + "process_id": 33556569721, + "process_start_time": 1764868903, + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "tree_id": 8596513285, + "tree_root": 30269430413, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33556569721", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "6a77f05a-34d1-f011-9bde-000d3a1e5143", + "md5": "acd3e2d7c77985f58069764b87afc435", + "alleged_filetype": "exe", + "parent_process_id": 33278624073, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --from-installer", + "filename": "chrome.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "local_process_id": "6888", + "md5": "acd3e2d7c77985f58069764b87afc435", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:33278624073", + "process_id": "33278624073", + "sha256": "d0917153cab9646ff267c7c75b89ca841602687306c7db5aa3aa35a7b39832ca", + "timestamp": "2025-12-04T17:03:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": "", + "process_end_time": 1764868917, + "incident": "", + "template_instance_id": 7919, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868904" + }, + { + "filename": "IconCache.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local", + "timestamp": "1764868904" + }, + { + "filename": "cversions.1.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Caches", + "timestamp": "1764868904" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868905" + }, + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764868905" + }, + { + "filename": "eicar_com.zip", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764868907" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:44:39", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "dq4x11FQJHq9qRi4cg1faQ==:2:61:140", + "_insert_time": "Dec 02 2025 17:44:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17180835069", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:43:31", + "crawled_timestamp": "2025-12-02T23:44:33.622154964Z", + "created_timestamp": "2025-12-02T23:44:33.622137439Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "occurred": "Dec 02 2025 17:44:33", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-tuzjBBwZo3kasBYiCYCiQAATiFlorFWzkcafFr1boUZjBIS-PzLWc_8uWPEAklwYIyyBQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17180835069", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c" + } + ], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:17181492137" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "System", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "confidence": 70, + "context_timestamp": "2025-12-02T23:43:31.727Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17180835069", + "crawled_timestamp": "2025-12-02T23:44:33.622154964Z", + "created_timestamp": "2025-12-02T23:44:33.622137439Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "ca2f88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "System", + "filepath": "System", + "files_written": [ + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719011" + } + ], + "global_prevalence": "common", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "common", + "local_process_id": "4", + "logon_domain": "SKT", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "network_accesses": [ + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15454" + }, + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15453" + }, + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15455" + }, + { + "access_timestamp": "1764114297", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15489" + }, + { + "access_timestamp": "1764114297", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15480" + }, + { + "access_timestamp": "1764114310", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15522" + }, + { + "access_timestamp": "1764114326", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15559" + }, + { + "access_timestamp": "1764114326", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15550" + }, + { + "access_timestamp": "1764114372", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15612" + }, + { + "access_timestamp": "1764114390", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15636" + } + ], + "objective": "Falcon Detection Method", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-tuzjBBwZo3kasBYiCYCiQAATiFlorFWzkcafFr1boUZjBIS-PzLWc_8uWPEAklwYIyyBQ==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: System" + ], + "priority_value": 94, + "process_id": "17179990382", + "process_start_time": "1763649916", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:43:31.899Z", + "tree_id": "17180835069", + "tree_root": "17179990382", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17179990382", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:39.930231027Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:43:31", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:39.930231027Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "System", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17180835069", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "System", + "filepath": "System", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:17179990382-5734-16162576", + "local_prevalence": "common", + "local_process_id": 4, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: System" + ], + "priority_value": 94, + "process_id": 17179990382, + "process_start_time": 1763649916, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17180835069, + "tree_root": 17179990382, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17179990382", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ca2f88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:17181492137" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719011" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15454" + }, + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15453" + }, + { + "access_timestamp": "1764114279", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15455" + }, + { + "access_timestamp": "1764114297", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15489" + }, + { + "access_timestamp": "1764114297", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15480" + }, + { + "access_timestamp": "1764114310", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15522" + }, + { + "access_timestamp": "1764114326", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15559" + }, + { + "access_timestamp": "1764114326", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "49683", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15550" + }, + { + "access_timestamp": "1764114372", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15612" + }, + { + "access_timestamp": "1764114390", + "access_type": 1, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "88", + "protocol": "TCP", + "remote_address": "10.20.10.17", + "remote_port": "15636" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:23", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:0:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17182787947", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:51:16", + "crawled_timestamp": "2025-12-02T23:52:18.909734436Z", + "created_timestamp": "2025-12-02T23:52:18.909725476Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "occurred": "Dec 02 2025 17:52:18", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjqGxpCA3-qmLVZ6u8iwk8gAATiHem4w85F5ONSbI3bouVchMY1CE_JSJxZ8N8TpHSQL2Eg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17182787947", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009" + } + ], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31373601499", + "pid:52917f37b9d44993b4d0f0d9024236a1:31375175557", + "pid:52917f37b9d44993b4d0f0d9024236a1:31376819355", + "pid:52917f37b9d44993b4d0f0d9024236a1:31375931853", + "pid:52917f37b9d44993b4d0f0d9024236a1:31383917999", + "pid:52917f37b9d44993b4d0f0d9024236a1:31379464422", + "pid:52917f37b9d44993b4d0f0d9024236a1:31383484645", + "pid:52917f37b9d44993b4d0f0d9024236a1:31386353813", + "pid:52917f37b9d44993b4d0f0d9024236a1:31380119733", + "pid:52917f37b9d44993b4d0f0d9024236a1:31382160725", + "pid:52917f37b9d44993b4d0f0d9024236a1:31381009849", + "pid:52917f37b9d44993b4d0f0d9024236a1:31388776949", + "pid:52917f37b9d44993b4d0f0d9024236a1:31391803369", + "pid:52917f37b9d44993b4d0f0d9024236a1:31392621508", + "pid:52917f37b9d44993b4d0f0d9024236a1:31396277127", + "pid:52917f37b9d44993b4d0f0d9024236a1:31405721771", + "pid:52917f37b9d44993b4d0f0d9024236a1:31396570921", + "pid:52917f37b9d44993b4d0f0d9024236a1:31399167919", + "pid:52917f37b9d44993b4d0f0d9024236a1:31404842340", + "pid:52917f37b9d44993b4d0f0d9024236a1:31407694567", + "pid:52917f37b9d44993b4d0f0d9024236a1:31409801153", + "pid:52917f37b9d44993b4d0f0d9024236a1:31415125657", + "pid:52917f37b9d44993b4d0f0d9024236a1:31408438017", + "pid:52917f37b9d44993b4d0f0d9024236a1:31410338661", + "pid:52917f37b9d44993b4d0f0d9024236a1:31412690761", + "pid:52917f37b9d44993b4d0f0d9024236a1:31413833163", + "pid:52917f37b9d44993b4d0f0d9024236a1:31419479359", + "pid:52917f37b9d44993b4d0f0d9024236a1:31417899659", + "pid:52917f37b9d44993b4d0f0d9024236a1:31420546237", + "pid:52917f37b9d44993b4d0f0d9024236a1:31422578263", + "pid:52917f37b9d44993b4d0f0d9024236a1:31425183335", + "pid:52917f37b9d44993b4d0f0d9024236a1:31427782417", + "pid:52917f37b9d44993b4d0f0d9024236a1:31429819041", + "pid:52917f37b9d44993b4d0f0d9024236a1:31431507639", + "pid:52917f37b9d44993b4d0f0d9024236a1:31433823814", + "pid:52917f37b9d44993b4d0f0d9024236a1:31435587921", + "pid:52917f37b9d44993b4d0f0d9024236a1:31437032843", + "pid:52917f37b9d44993b4d0f0d9024236a1:31440704009", + "pid:52917f37b9d44993b4d0f0d9024236a1:31442900181", + "pid:52917f37b9d44993b4d0f0d9024236a1:31444702660", + "pid:52917f37b9d44993b4d0f0d9024236a1:31447365180", + "pid:52917f37b9d44993b4d0f0d9024236a1:31450639765", + "pid:52917f37b9d44993b4d0f0d9024236a1:31452890785", + "pid:52917f37b9d44993b4d0f0d9024236a1:31454749125", + "pid:52917f37b9d44993b4d0f0d9024236a1:31456563870", + "pid:52917f37b9d44993b4d0f0d9024236a1:31461377870", + "pid:52917f37b9d44993b4d0f0d9024236a1:31462656075", + "pid:52917f37b9d44993b4d0f0d9024236a1:31465364159", + "pid:52917f37b9d44993b4d0f0d9024236a1:31467113584", + "pid:52917f37b9d44993b4d0f0d9024236a1:31469063666" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "confidence": 70, + "context_timestamp": "2025-12-02T23:51:16.632Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17182787947", + "crawled_timestamp": "2025-12-02T23:52:18.909734436Z", + "created_timestamp": "2025-12-02T23:52:18.909725476Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "263688a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719255" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719275" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719295" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719295" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719315" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719335" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719355" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719375" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719375" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719396" + } + ], + "files_written": [ + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_1373997347", + "timestamp": "1764719267" + }, + { + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\Temp", + "timestamp": "1764719476" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_2077956631", + "timestamp": "1764719519" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_1786280974", + "timestamp": "1764718877" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "local_process_id": "8864", + "md5": "df836e6145c8cca28ddfc8f6ccbe78c9", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31350729761", + "process_id": "31350729761", + "sha256": "d3f1cec588c2e0fd3cbd913b0af988a6e4ec2d700a52f3a3112d72506b75c7e2", + "timestamp": "2025-12-02T23:44:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "common", + "local_process_id": "680", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "network_accesses": [ + { + "access_timestamp": "1764718517", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718517", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:abed:1170:7c74:abde", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31351618955", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjqGxpCA3-qmLVZ6u8iwk8gAATiHem4w85F5ONSbI3bouVchMY1CE_JSJxZ8N8TpHSQL2Eg==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": "31372123641", + "process_start_time": "1764718510", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T23:51:16.936Z", + "tree_id": "17182787947", + "tree_root": "31372123641", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31372123641", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:23.73803284Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:51:16", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:23.73803284Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17182787947", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume2\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31372123641-5733-16514576", + "local_prevalence": "common", + "local_process_id": 680, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 31372123641, + "process_start_time": 1764718510, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17182787947, + "tree_root": 31372123641, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31372123641", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "263688a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31351618955, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "local_process_id": "8864", + "md5": "df836e6145c8cca28ddfc8f6ccbe78c9", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31350729761", + "process_id": "31350729761", + "sha256": "d3f1cec588c2e0fd3cbd913b0af988a6e4ec2d700a52f3a3112d72506b75c7e2", + "timestamp": "2025-12-02T23:44:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31373601499", + "pid:52917f37b9d44993b4d0f0d9024236a1:31375175557", + "pid:52917f37b9d44993b4d0f0d9024236a1:31376819355", + "pid:52917f37b9d44993b4d0f0d9024236a1:31375931853", + "pid:52917f37b9d44993b4d0f0d9024236a1:31383917999", + "pid:52917f37b9d44993b4d0f0d9024236a1:31379464422", + "pid:52917f37b9d44993b4d0f0d9024236a1:31383484645", + "pid:52917f37b9d44993b4d0f0d9024236a1:31386353813", + "pid:52917f37b9d44993b4d0f0d9024236a1:31380119733", + "pid:52917f37b9d44993b4d0f0d9024236a1:31382160725", + "pid:52917f37b9d44993b4d0f0d9024236a1:31381009849", + "pid:52917f37b9d44993b4d0f0d9024236a1:31388776949", + "pid:52917f37b9d44993b4d0f0d9024236a1:31391803369", + "pid:52917f37b9d44993b4d0f0d9024236a1:31392621508", + "pid:52917f37b9d44993b4d0f0d9024236a1:31396277127", + "pid:52917f37b9d44993b4d0f0d9024236a1:31405721771", + "pid:52917f37b9d44993b4d0f0d9024236a1:31396570921", + "pid:52917f37b9d44993b4d0f0d9024236a1:31399167919", + "pid:52917f37b9d44993b4d0f0d9024236a1:31404842340", + "pid:52917f37b9d44993b4d0f0d9024236a1:31407694567", + "pid:52917f37b9d44993b4d0f0d9024236a1:31409801153", + "pid:52917f37b9d44993b4d0f0d9024236a1:31415125657", + "pid:52917f37b9d44993b4d0f0d9024236a1:31408438017", + "pid:52917f37b9d44993b4d0f0d9024236a1:31410338661", + "pid:52917f37b9d44993b4d0f0d9024236a1:31412690761", + "pid:52917f37b9d44993b4d0f0d9024236a1:31413833163", + "pid:52917f37b9d44993b4d0f0d9024236a1:31419479359", + "pid:52917f37b9d44993b4d0f0d9024236a1:31417899659", + "pid:52917f37b9d44993b4d0f0d9024236a1:31420546237", + "pid:52917f37b9d44993b4d0f0d9024236a1:31422578263", + "pid:52917f37b9d44993b4d0f0d9024236a1:31425183335", + "pid:52917f37b9d44993b4d0f0d9024236a1:31427782417", + "pid:52917f37b9d44993b4d0f0d9024236a1:31429819041", + "pid:52917f37b9d44993b4d0f0d9024236a1:31431507639", + "pid:52917f37b9d44993b4d0f0d9024236a1:31433823814", + "pid:52917f37b9d44993b4d0f0d9024236a1:31435587921", + "pid:52917f37b9d44993b4d0f0d9024236a1:31437032843", + "pid:52917f37b9d44993b4d0f0d9024236a1:31440704009", + "pid:52917f37b9d44993b4d0f0d9024236a1:31442900181", + "pid:52917f37b9d44993b4d0f0d9024236a1:31444702660", + "pid:52917f37b9d44993b4d0f0d9024236a1:31447365180", + "pid:52917f37b9d44993b4d0f0d9024236a1:31450639765", + "pid:52917f37b9d44993b4d0f0d9024236a1:31452890785", + "pid:52917f37b9d44993b4d0f0d9024236a1:31454749125", + "pid:52917f37b9d44993b4d0f0d9024236a1:31456563870", + "pid:52917f37b9d44993b4d0f0d9024236a1:31461377870", + "pid:52917f37b9d44993b4d0f0d9024236a1:31462656075", + "pid:52917f37b9d44993b4d0f0d9024236a1:31465364159", + "pid:52917f37b9d44993b4d0f0d9024236a1:31467113584", + "pid:52917f37b9d44993b4d0f0d9024236a1:31469063666" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_1373997347", + "timestamp": "1764719267" + }, + { + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\Temp", + "timestamp": "1764719476" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_2077956631", + "timestamp": "1764719519" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping680_1786280974", + "timestamp": "1764718877" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764718517", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718517", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:abed:1170:7c74:abde", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\Temp\\terabox.exe", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719255" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719275" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719295" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719295" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719315" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719335" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719355" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\0511", + "timestamp": "1764719375" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719375" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\2028", + "timestamp": "1764719396" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:47:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/QvxgGr2nw2UjIXFgU3COQ==:1:61:140", + "_insert_time": "Dec 02 2025 17:48:47", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:46:51", + "crawled_timestamp": "2025-12-02T23:47:54.025305967Z", + "created_timestamp": "2025-12-02T23:47:54.025295743Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "occurred": "Dec 02 2025 17:47:54", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDvLUfFhdAlEZbQJsV6o7qwAATiHx4P2e8NrGQLj4F-Jhj-FjpQriEWnTGwbCXnDDXxDJeQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "confidence": 80, + "context_timestamp": "2025-12-02T23:46:51.973Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "crawled_timestamp": "2025-12-02T23:47:54.025305967Z", + "created_timestamp": "2025-12-02T23:47:54.025295743Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "ba3188a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "files_written": [ + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:47:45Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "11.910030819699385", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "7176", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDvLUfFhdAlEZbQJsV6o7qwAATiHx4P2e8NrGQLj4F-Jhj-FjpQriEWnTGwbCXnDDXxDJeQ==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764719214", + "process_id": "31470204763", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-02T23:46:52.341Z", + "tree_id": "17181090083", + "tree_root": "31470204763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:55.357031879Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:52", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:55.357031879Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16212240", + "local_prevalence": "low", + "local_process_id": 7176, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 31470204763, + "process_start_time": 1764719211, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17181090083, + "tree_root": 31470204763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ba3188a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "process_end_time": 1764719214, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:47:45Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "11.910030819699385", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:3:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:46:52", + "crawled_timestamp": "2025-12-02T23:52:28.810619984Z", + "created_timestamp": "2025-12-02T23:52:28.81061013Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "occurred": "Dec 02 2025 17:52:28", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxNY-KmjkVIN9UijvuPm9yCAAATiFVIKLK7qR644safY_AEacr2MztoTfKQaYuMg6lafTWmQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "confidence": 80, + "context_timestamp": "2025-12-02T23:46:52.191Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "crawled_timestamp": "2025-12-02T23:52:28.810619984Z", + "created_timestamp": "2025-12-02T23:52:28.81061013Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "013288a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "low", + "local_process_id": "7176", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxNY-KmjkVIN9UijvuPm9yCAAATiFVIKLK7qR644safY_AEacr2MztoTfKQaYuMg6lafTWmQ==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764719214", + "process_id": "31470204763", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-02T23:46:52.483Z", + "tree_id": "17181090083", + "tree_root": "31470204763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.145630642Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:52", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.145630642Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-10292-16230672", + "local_prevalence": "low", + "local_process_id": 7176, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 31470204763, + "process_start_time": 1764719211, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17181090083, + "tree_root": 31470204763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "013288a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "process_end_time": 1764719214, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:47:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/QvxgGr2nw2UjIXFgU3COQ==:3:61:140", + "_insert_time": "Dec 02 2025 17:48:47", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:46:51", + "crawled_timestamp": "2025-12-02T23:47:54.04320331Z", + "created_timestamp": "2025-12-02T23:47:54.043195878Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "occurred": "Dec 02 2025 17:47:54", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxheZx_9wowJvUe6RmTVns2wAATiFvXM3p1Zyhaj_WPaQ2Rx3Huf6dXgAWWpugY_rKTq75ig==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "confidence": 70, + "context_timestamp": "2025-12-02T23:46:51.879Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "crawled_timestamp": "2025-12-02T23:47:54.04320331Z", + "created_timestamp": "2025-12-02T23:47:54.043195878Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "af3188a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "7176", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxheZx_9wowJvUe6RmTVns2wAATiFvXM3p1Zyhaj_WPaQ2Rx3Huf6dXgAWWpugY_rKTq75ig==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764719214", + "process_id": "31470204763", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:46:52.01Z", + "tree_id": "17181090083", + "tree_root": "31470204763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:55.071440583Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:52", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:55.071440583Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5708-16208912", + "local_prevalence": "low", + "local_process_id": 7176, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 31470204763, + "process_start_time": 1764719211, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17181090083, + "tree_root": 31470204763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "af3188a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "process_end_time": 1764719214, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:47:57", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/QvxgGr2nw2UjIXFgU3COQ==:2:61:140", + "_insert_time": "Dec 02 2025 17:48:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:46:52", + "crawled_timestamp": "2025-12-02T23:47:54.025748581Z", + "created_timestamp": "2025-12-02T23:47:54.025740338Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "occurred": "Dec 02 2025 17:47:54", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDTC3PwaDDbTECsUDpq3nrgAATiFHk-feciaA6dT1EHknSxIxa19OGU-i7bFooopSE94QaA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "confidence": 70, + "context_timestamp": "2025-12-02T23:46:52.406Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "crawled_timestamp": "2025-12-02T23:47:54.025748581Z", + "created_timestamp": "2025-12-02T23:47:54.025740338Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "2d3288a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "local_prevalence": "low", + "local_process_id": "7176", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDTC3PwaDDbTECsUDpq3nrgAATiFHk-feciaA6dT1EHknSxIxa19OGU-i7bFooopSE94QaA==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 94, + "process_end_time": "1764719214", + "process_id": "31470204763", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:46:52.622Z", + "tree_id": "17181090083", + "tree_root": "31470204763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.367400761Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:52", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.367400761Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16240144", + "local_prevalence": "low", + "local_process_id": 7176, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 94, + "process_id": 31470204763, + "process_start_time": 1764719211, + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "tree_id": 17181090083, + "tree_root": 31470204763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "2d3288a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "process_end_time": 1764719214, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:47:57", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/QvxgGr2nw2UjIXFgU3COQ==:0:61:140", + "_insert_time": "Dec 02 2025 17:48:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:46:52", + "crawled_timestamp": "2025-12-02T23:47:54.02069413Z", + "created_timestamp": "2025-12-02T23:47:54.020688241Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "occurred": "Dec 02 2025 17:47:54", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGMzHPTemMduy2cUARVwL1gAATiGmWdeDbjUuoA52FBjIfpjk2M27tX14vi5HyMHAzjCEFw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "confidence": 70, + "context_timestamp": "2025-12-02T23:46:52.672Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "crawled_timestamp": "2025-12-02T23:47:54.02069413Z", + "created_timestamp": "2025-12-02T23:47:54.020688241Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "3c3288a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "local_prevalence": "low", + "local_process_id": "7176", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGMzHPTemMduy2cUARVwL1gAATiGmWdeDbjUuoA52FBjIfpjk2M27tX14vi5HyMHAzjCEFw==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 94, + "process_end_time": "1764719214", + "process_id": "31470204763", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:46:52.831Z", + "tree_id": "17181090083", + "tree_root": "31470204763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.37962957Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:52", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.37962957Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17181090083", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:42:22Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31470204763-5734-16242192", + "local_prevalence": "low", + "local_process_id": 7176, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 94, + "process_id": 31470204763, + "process_start_time": 1764719211, + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "tree_id": 17181090083, + "tree_root": 31470204763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31470204763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "3c3288a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-01T23:07:44.578Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "2025-12-01T23:07:44.531Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31471176124" + ], + "process_end_time": 1764719214, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32", + "timestamp": "1764719212" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume2\\Program Files\\windows nt", + "timestamp": "1764719212" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:5:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "ProcAccessLsass", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:51:27", + "crawled_timestamp": "2025-12-02T23:52:31.810900847Z", + "created_timestamp": "2025-12-02T23:52:30.524276559Z", + "data_domains": [ + "Endpoint" + ], + "description": "An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "display_name": "ProcAccessLsass", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10150, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "occurred": "Dec 02 2025 17:52:30", + "pattern_id": 10150, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx37SqE6kXWETL0sy08ftbqQAATiFHxfJZhod5te4oQI2NmZbi1SZw2idbLlpsKBvijK4t8Q==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "confidence": 80, + "context_timestamp": "2025-12-02T23:51:27.952Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "crawled_timestamp": "2025-12-02T23:52:31.810900847Z", + "created_timestamp": "2025-12-02T23:52:30.524276559Z", + "data_domains": [ + "Endpoint" + ], + "description": "An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "ProcAccessLsass", + "email_sent": true, + "event_correlation_id": "b13788a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "unique", + "local_process_id": "5884", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10150, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "ProcAccessLsass", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31508562353", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10150, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx37SqE6kXWETL0sy08ftbqQAATiFHxfJZhod5te4oQI2NmZbi1SZw2idbLlpsKBvijK4t8Q==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10150: An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_end_time": "1764719486", + "process_id": "31509899565", + "process_start_time": "1764719484", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "template_instance_id": "15249", + "timestamp": "2025-12-02T23:51:28.484Z", + "tree_id": "17183289713", + "tree_root": "31509899565", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.810893133Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:51:28", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.810893133Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16582928", + "local_prevalence": "unique", + "local_process_id": 5884, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10150: An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_id": 31509899565, + "process_start_time": 1764719484, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17183289713, + "tree_root": 31509899565, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b13788a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31508562353, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719486, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 15249, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:4:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "ProcAccessLsass", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:51:27", + "crawled_timestamp": "2025-12-02T23:52:30.515393704Z", + "created_timestamp": "2025-12-02T23:52:30.515384131Z", + "data_domains": [ + "Endpoint" + ], + "description": "An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "display_name": "ProcAccessLsass", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10150, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "occurred": "Dec 02 2025 17:52:30", + "pattern_id": 10150, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1_Q7_Y_OozF8a_7P2qJRVQAATiFBuOVnV6UKs6SZaa2E8VAh2Y9VQ5O7rd076QIkRlXJ0A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "confidence": 80, + "context_timestamp": "2025-12-02T23:51:27.952Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "crawled_timestamp": "2025-12-02T23:52:30.515393704Z", + "created_timestamp": "2025-12-02T23:52:30.515384131Z", + "data_domains": [ + "Endpoint" + ], + "description": "An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "ProcAccessLsass", + "email_sent": true, + "event_correlation_id": "b23788a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "5884", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10150, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "ProcAccessLsass", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31508562353", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10150, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1_Q7_Y_OozF8a_7P2qJRVQAATiFBuOVnV6UKs6SZaa2E8VAh2Y9VQ5O7rd076QIkRlXJ0A==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10150: An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_end_time": "1764719486", + "process_id": "31509899565", + "process_start_time": "1764719484", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "template_instance_id": "15249", + "timestamp": "2025-12-02T23:51:28.484Z", + "tree_id": "17183289713", + "tree_root": "31509899565", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.322372408Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:51:28", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.322372408Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-10150-16583184", + "local_prevalence": "unique", + "local_process_id": 5884, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10150: An unusual process accessed lsass. This might indicate an attempt to dump credentials. Investigate the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_id": 31509899565, + "process_start_time": 1764719484, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17183289713, + "tree_root": 31509899565, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b23788a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31508562353, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719486, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 15249, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:1:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "LsassInjectedThread", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "confidence": 60, + "context_timestamp": "Dec 02 2025 17:51:25", + "crawled_timestamp": "2025-12-02T23:52:28.807938404Z", + "created_timestamp": "2025-12-02T23:52:26.773783573Z", + "data_domains": [ + "Endpoint" + ], + "description": "A thread was injected into LSASS.", + "display_name": "LsassInjectedThread", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 35, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "occurred": "Dec 02 2025 17:52:26", + "pattern_id": 35, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxv0XJqcWfBDNQHtfPerqhPAAATiEqSAOk0i7_--7jta8QavQ3GQ7bwU1BY7Pr881FoI1Gmw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "confidence": 60, + "context_timestamp": "2025-12-02T23:51:25.000Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "crawled_timestamp": "2025-12-02T23:52:28.807938404Z", + "created_timestamp": "2025-12-02T23:52:26.773783573Z", + "data_domains": [ + "Endpoint" + ], + "description": "A thread was injected into LSASS.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassInjectedThread", + "email_sent": true, + "event_correlation_id": "8b3688a8-d8cf-f011-8baa-7c1e5268cb30", + "external": false, + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "unique", + "local_process_id": "5884", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 35, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "LsassInjectedThread", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31508562353", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 35, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxv0XJqcWfBDNQHtfPerqhPAAATiEqSAOk0i7_--7jta8QavQ3GQ7bwU1BY7Pr881FoI1Gmw==", + "priority_details": { + "raw_value": 64 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 64, + "process_end_time": "1764719486", + "process_id": "31509899565", + "process_start_time": "1764719484", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-02T23:51:25.6Z", + "tree_id": "17183289713", + "tree_root": "31509899565", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:30.87686391Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:51:25", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:30.87686391Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-35-16557072", + "local_prevalence": "unique", + "local_process_id": 5884, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 64 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 64, + "process_id": 31509899565, + "process_start_time": 1764719484, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17183289713, + "tree_root": 31509899565, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "8b3688a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31508562353, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719486, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "false", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:52:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "K4whz+w2Ofp6BRK5dDgAFg==:2:61:140", + "_insert_time": "Dec 02 2025 17:52:47", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:51:24", + "crawled_timestamp": "2025-12-02T23:52:26.776595737Z", + "created_timestamp": "2025-12-02T23:52:26.77658852Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "occurred": "Dec 02 2025 17:52:26", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6VE_KbwlbgDVUjA-pv0U1wAATiHDQYQME5JQ4D3nQpNnWhcxOdDA_N0-KoxAwXtJppDPHw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "confidence": 70, + "context_timestamp": "2025-12-02T23:51:24.829Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "crawled_timestamp": "2025-12-02T23:52:26.776595737Z", + "created_timestamp": "2025-12-02T23:52:26.77658852Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "373688a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "5884", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31508562353", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6VE_KbwlbgDVUjA-pv0U1wAATiHDQYQME5JQ4D3nQpNnWhcxOdDA_N0-KoxAwXtJppDPHw==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764719486", + "process_id": "31509899565", + "process_start_time": "1764719484", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T23:51:25.267Z", + "tree_id": "17183289713", + "tree_root": "31509899565", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.145345788Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:51:25", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:52:31.145345788Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17183289713", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:50:47Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31509899565-5702-16533008", + "local_prevalence": "unique", + "local_process_id": 5884, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31509899565, + "process_start_time": 1764719484, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17183289713, + "tree_root": 31509899565, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31509899565", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "373688a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31508562353, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\terabox.exe C:\\Windows\\System32\\terabox.exe && C:\\Windows\\System32\\terabox.exe \"lsdu::go /ynot\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6240", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31508562353", + "process_id": "31508562353", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:52:04Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719486, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:51:34Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "50.19090270408699", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:4:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:58:08", + "crawled_timestamp": "2025-12-02T23:59:12.314418711Z", + "created_timestamp": "2025-12-02T23:59:11.048861087Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "occurred": "Dec 02 2025 17:59:11", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx4kzTXq5RlqlbSsXRFbVvWgAATiEN708_cnBAMWHVmJ1pCGmY-qTVpxvtfYiCuEJGefBZkg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "confidence": 80, + "context_timestamp": "2025-12-02T23:58:08.911Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "crawled_timestamp": "2025-12-02T23:59:12.314418711Z", + "created_timestamp": "2025-12-02T23:59:11.048861087Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "343b88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "unique", + "local_process_id": "8964", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31526396973", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx4kzTXq5RlqlbSsXRFbVvWgAATiEN708_cnBAMWHVmJ1pCGmY-qTVpxvtfYiCuEJGefBZkg==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764719889", + "process_id": "31527781484", + "process_start_time": "1764719888", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-02T23:58:08.991Z", + "tree_id": "17184555650", + "tree_root": "31527781484", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.756511385Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:08", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.756511385Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-10365-16905232", + "local_prevalence": "unique", + "local_process_id": 8964, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31527781484, + "process_start_time": 1764719888, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17184555650, + "tree_root": 31527781484, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "343b88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31526396973, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "process_end_time": 1764719889, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:3:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:58:09", + "crawled_timestamp": "2025-12-02T23:59:11.036044376Z", + "created_timestamp": "2025-12-02T23:59:11.036037463Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "occurred": "Dec 02 2025 17:59:11", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxan16bQ6_evPkkFZ-5Bi4WgAATiHw6K5x0n6Jn0FN_35ArXg3LfcUEL7jyPLN7Z_04dB-Pg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "confidence": 70, + "context_timestamp": "2025-12-02T23:58:09.411Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "crawled_timestamp": "2025-12-02T23:59:11.036044376Z", + "created_timestamp": "2025-12-02T23:59:11.036037463Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "933b88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8964", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31526396973", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxan16bQ6_evPkkFZ-5Bi4WgAATiHw6K5x0n6Jn0FN_35ArXg3LfcUEL7jyPLN7Z_04dB-Pg==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764719889", + "process_id": "31527781484", + "process_start_time": "1764719888", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-02T23:58:09.782Z", + "tree_id": "17184555650", + "tree_root": "31527781484", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.935936435Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.935936435Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923152", + "local_prevalence": "unique", + "local_process_id": 8964, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31527781484, + "process_start_time": 1764719888, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17184555650, + "tree_root": 31527781484, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "933b88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31526396973, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "process_end_time": 1764719889, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:1:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:58:09", + "crawled_timestamp": "2025-12-02T23:59:13.435740408Z", + "created_timestamp": "2025-12-02T23:59:11.019078085Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "occurred": "Dec 02 2025 17:59:11", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVd01FTLInG9firaCqxxaFAAATiHxoxXeYEIZZttWpCBTAQ4BDZxhLFWfEv0eAifxbCgX6Q==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "confidence": 70, + "context_timestamp": "2025-12-02T23:58:09.411Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "crawled_timestamp": "2025-12-02T23:59:13.435740408Z", + "created_timestamp": "2025-12-02T23:59:11.019078085Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "953b88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "unique", + "local_process_id": "8964", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31526396973", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVd01FTLInG9firaCqxxaFAAATiHxoxXeYEIZZttWpCBTAQ4BDZxhLFWfEv0eAifxbCgX6Q==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764719889", + "process_id": "31527781484", + "process_start_time": "1764719888", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-02T23:58:09.782Z", + "tree_id": "17184555650", + "tree_root": "31527781484", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.75575799Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.75575799Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-262-16923408", + "local_prevalence": "unique", + "local_process_id": 8964, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31527781484, + "process_start_time": 1764719888, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17184555650, + "tree_root": 31527781484, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "953b88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31526396973, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "process_end_time": 1764719889, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:2:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:58:08", + "crawled_timestamp": "2025-12-02T23:59:11.026573422Z", + "created_timestamp": "2025-12-02T23:59:11.026565923Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "occurred": "Dec 02 2025 17:59:11", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxV3eAJu1X0_yFmVcxLjER_QAATiHEsBJh8Br-vxb64PFZ3sYV2fXhE-NrxBQOACkpN8Ne0g==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "confidence": 70, + "context_timestamp": "2025-12-02T23:58:08.895Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "crawled_timestamp": "2025-12-02T23:59:11.026573422Z", + "created_timestamp": "2025-12-02T23:59:11.026565923Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "303b88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "8964", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31526396973", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxV3eAJu1X0_yFmVcxLjER_QAATiHEsBJh8Br-vxb64PFZ3sYV2fXhE-NrxBQOACkpN8Ne0g==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764719889", + "process_id": "31527781484", + "process_start_time": "1764719888", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T23:58:08.991Z", + "tree_id": "17184555650", + "tree_root": "31527781484", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.930538432Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:08", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.930538432Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31527781484-5702-16904208", + "local_prevalence": "unique", + "local_process_id": 8964, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31527781484, + "process_start_time": 1764719888, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17184555650, + "tree_root": 31527781484, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "303b88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31526396973, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087" + ], + "process_end_time": 1764719889, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:0:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:58:09", + "crawled_timestamp": "2025-12-02T23:59:13.436161623Z", + "created_timestamp": "2025-12-02T23:59:11.018252529Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "occurred": "Dec 02 2025 17:59:11", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSNzKUqdpWYa9rOuZpy-IwwAATiERYvBZ9-IvTsKIO8FTXdby_n2YdlCJ5929nAjAUGBvGg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31531491448" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "confidence": 80, + "context_timestamp": "2025-12-02T23:58:09.458Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "crawled_timestamp": "2025-12-02T23:59:13.436161623Z", + "created_timestamp": "2025-12-02T23:59:11.018252529Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "ab3b88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "ioc_context": [], + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "local_prevalence": "common", + "local_process_id": "5936", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8964", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "process_id": "31527781484", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-02T23:58:47Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31527781484", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSNzKUqdpWYa9rOuZpy-IwwAATiERYvBZ9-IvTsKIO8FTXdby_n2YdlCJ5929nAjAUGBvGg==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31530209087", + "process_start_time": "1764719889", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-02T23:58:09.782Z", + "tree_id": "17184555650", + "tree_root": "31527781484", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.923153191Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:59:15.923153191Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17184555650", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31530209087-10357-16925968", + "local_prevalence": "common", + "local_process_id": 5936, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31530209087, + "process_start_time": 1764719889, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17184555650, + "tree_root": 31527781484, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31530209087", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ab3b88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31527781484, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8964", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31527781484", + "process_id": "31527781484", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-02T23:58:47Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8288", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31526396973", + "process_id": "31526396973", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-02T23:58:51Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31531491448" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-02T23:58:12Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "85bc5931660ab0d219ec0d2780674aff3cb495b68ef26c20e19d1ed4d5afc0e5", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 13:55:43", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "fRzlHFjVR/8+A9R9ubLTfg==:2:61:140", + "_insert_time": "Dec 02 2025 13:55:46", + "_name": "MalwareProcess", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "confidence": 80, + "context_timestamp": "Dec 02 2025 13:54:38", + "crawled_timestamp": "2025-12-02T19:55:40.167657083Z", + "created_timestamp": "2025-12-02T19:55:40.167646522Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "display_name": "MalwareProcess", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "occurred": "Dec 02 2025 13:55:40", + "pattern_id": 10116, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx2MPio8VgLzOrZAqFw9YCrgAATiFHWPgHqYbteFsgnWOZjOx5iq3MzU8yVUP3y2-NhAYZ4A==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "confidence": 80, + "context_timestamp": "2025-12-02T19:54:38.038Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "crawled_timestamp": "2025-12-02T19:55:40.167657083Z", + "created_timestamp": "2025-12-02T19:55:40.167646522Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MalwareProcess", + "email_sent": true, + "event_correlation_id": "be621505-b6cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "unique", + "local_process_id": "8864", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "MalwareProcess", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine, process was blocked from execution and quarantine was attempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10116, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx2MPio8VgLzOrZAqFw9YCrgAATiFHWPgHqYbteFsgnWOZjOx5iq3MzU8yVUP3y2-NhAYZ4A==", + "priority_details": { + "raw_value": 36 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: process blocked" + ], + "priority_value": 36, + "process_end_time": "1764705278", + "process_id": "27241839334", + "process_start_time": "1764705277", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "template_instance_id": "4637", + "timestamp": "2025-12-02T19:54:38.496Z", + "tree_id": "4297738777", + "tree_root": "27241839334", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27241839334", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:43.591306441Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 13:54:38", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:43.591306441Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-10116-2364688", + "local_prevalence": "unique", + "local_process_id": 8864, + "logon_domain": "SKT", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine, process was blocked from execution and quarantine was attempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 36 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: process blocked" + ], + "priority_value": 36, + "process_id": 27241839334, + "process_start_time": 1764705277, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4297738777, + "tree_root": 27241839334, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27241839334", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "be621505-b6cf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": "", + "process_end_time": 1764705278, + "incident": "", + "template_instance_id": 4637, + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 13:55:43", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "fRzlHFjVR/8+A9R9ubLTfg==:1:61:140", + "_insert_time": "Dec 02 2025 13:55:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "confidence": 70, + "context_timestamp": "Dec 02 2025 13:54:38", + "crawled_timestamp": "2025-12-02T19:55:40.165920499Z", + "created_timestamp": "2025-12-02T19:55:40.165911494Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "occurred": "Dec 02 2025 13:55:40", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxlc-GYzlT9QG0xyDsRWyHTQAATiGz4j8y9PeIyQOVzVckWieoUn0jhiMdLl4phGCdz0qNcg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "confidence": 70, + "context_timestamp": "2025-12-02T19:54:38.038Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "crawled_timestamp": "2025-12-02T19:55:40.165920499Z", + "created_timestamp": "2025-12-02T19:55:40.165911494Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "c0621505-b6cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "unique", + "local_process_id": "8864", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 2432, + "pattern_disposition_description": "Quarantine file + Policy Disabled + Block Process", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxlc-GYzlT9QG0xyDsRWyHTQAATiGz4j8y9PeIyQOVzVckWieoUn0jhiMdLl4phGCdz0qNcg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_end_time": "1764705278", + "process_id": "27241839334", + "process_start_time": "1764705277", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T19:54:38.496Z", + "tree_id": "4297738777", + "tree_root": "27241839334", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27241839334", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:43.592406295Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 13:54:38", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:43.592406295Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4297738777", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27241839334-5702-2363920", + "local_prevalence": "unique", + "local_process_id": 8864, + "logon_domain": "SKT", + "pattern_disposition": 2432, + "pattern_disposition_description": "Quarantine file + Policy Disabled + Block Process", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_id": 27241839334, + "process_start_time": 1764705277, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4297738777, + "tree_root": 27241839334, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27241839334", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "c0621505-b6cf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": "", + "process_end_time": 1764705278, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:41:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "b+I4ILlmzjDOys3WfLmCvg==:2:61:140", + "_insert_time": "Dec 02 2025 14:42:46", + "_name": "StartupFolderPersistence", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "confidence": 80, + "context_timestamp": "Dec 02 2025 14:40:49", + "crawled_timestamp": "2025-12-02T20:41:51.148549554Z", + "created_timestamp": "2025-12-02T20:41:51.148541089Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "display_name": "StartupFolderPersistence", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "occurred": "Dec 02 2025 14:41:51", + "pattern_id": 10500, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxcI914AVurF6VY1XVIph8wgAATiF_JXJFvxT-KcgKZlDcAv_n39u1A3eiZQgg-3Oti6oRbQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "confidence": 80, + "context_timestamp": "2025-12-02T20:40:49.085Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "crawled_timestamp": "2025-12-02T20:41:51.148549554Z", + "created_timestamp": "2025-12-02T20:41:51.148541089Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StartupFolderPersistence", + "email_sent": true, + "event_correlation_id": "b8085ba5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "4416", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "StartupFolderPersistence", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 4096, + "pattern_disposition_description": "Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10500, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxcI914AVurF6VY1XVIph8wgAATiF_JXJFvxT-KcgKZlDcAv_n39u1A3eiZQgg-3Oti6oRbQ==", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_end_time": "1764708049", + "process_id": "27484237284", + "process_start_time": "1764708048", + "product": "epp", + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "template_instance_id": "14700", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "timestamp": "2025-12-02T20:40:49.505Z", + "tree_id": "4298427445", + "tree_root": "27484237284", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.294149088Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:40:49", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.294149088Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778320", + "local_prevalence": "unique", + "local_process_id": 4416, + "logon_domain": "SKT", + "pattern_disposition": 4096, + "pattern_disposition_description": "Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_id": 27484237284, + "process_start_time": 1764708048, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4298427445, + "tree_root": 27484237284, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "b8085ba5-becf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "process_end_time": 1764708049, + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "template_instance_id": 14700, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:41:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "b+I4ILlmzjDOys3WfLmCvg==:1:61:140", + "_insert_time": "Dec 02 2025 14:42:46", + "_name": "StartupFolderPersistence", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "confidence": 80, + "context_timestamp": "Dec 02 2025 14:40:49", + "crawled_timestamp": "2025-12-02T20:41:51.131961451Z", + "created_timestamp": "2025-12-02T20:41:51.131955886Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "display_name": "StartupFolderPersistence", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "occurred": "Dec 02 2025 14:41:51", + "pattern_id": 10500, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxTg7j2U7LeCYzRBLsI5etggAATiGzwSqnNqi5ds6rcO04aW8e1kJRxYyw-yfhG4gwjWtXvg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "confidence": 80, + "context_timestamp": "2025-12-02T20:40:49.093Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "crawled_timestamp": "2025-12-02T20:41:51.131961451Z", + "created_timestamp": "2025-12-02T20:41:51.131955886Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StartupFolderPersistence", + "email_sent": true, + "event_correlation_id": "b8085ba5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "unique", + "local_process_id": "4416", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "StartupFolderPersistence", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 4112, + "pattern_disposition_description": "Kill Process + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10500, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxTg7j2U7LeCYzRBLsI5etggAATiGzwSqnNqi5ds6rcO04aW8e1kJRxYyw-yfhG4gwjWtXvg==", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_end_time": "1764708049", + "process_id": "27484237284", + "process_start_time": "1764708048", + "product": "epp", + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "template_instance_id": "14700", + "timestamp": "2025-12-02T20:40:49.505Z", + "tree_id": "4298427445", + "tree_root": "27484237284", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.444951898Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:40:49", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.444951898Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-10500-3778832", + "local_prevalence": "unique", + "local_process_id": 4416, + "logon_domain": "SKT", + "pattern_disposition": 4112, + "pattern_disposition_description": "Kill Process + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_id": 27484237284, + "process_start_time": 1764708048, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4298427445, + "tree_root": 27484237284, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "b8085ba5-becf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "process_end_time": 1764708049, + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "template_instance_id": 14700, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:41:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "b+I4ILlmzjDOys3WfLmCvg==:0:61:140", + "_insert_time": "Dec 02 2025 14:42:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "confidence": 70, + "context_timestamp": "Dec 02 2025 14:40:48", + "crawled_timestamp": "2025-12-02T20:41:51.127414231Z", + "created_timestamp": "2025-12-02T20:41:51.127407841Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "occurred": "Dec 02 2025 14:41:51", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxSkskCkznJqz_g8IwqrQHwAATiEyIeL1HRDCTobQNqkSRvjFe1lwEWxLVb0o5nOZ6wlE3g==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "confidence": 70, + "context_timestamp": "2025-12-02T20:40:48.702Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "crawled_timestamp": "2025-12-02T20:41:51.127414231Z", + "created_timestamp": "2025-12-02T20:41:51.127407841Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "6d085ba5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "unique", + "local_process_id": "4416", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxSkskCkznJqz_g8IwqrQHwAATiEyIeL1HRDCTobQNqkSRvjFe1lwEWxLVb0o5nOZ6wlE3g==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_end_time": "1764708049", + "process_id": "27484237284", + "process_start_time": "1764708048", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T20:40:49.366Z", + "tree_id": "4298427445", + "tree_root": "27484237284", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.683965005Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:40:49", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.683965005Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5702-3763216", + "local_prevalence": "unique", + "local_process_id": 4416, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_id": 27484237284, + "process_start_time": 1764708048, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4298427445, + "tree_root": 27484237284, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "6d085ba5-becf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "process_end_time": 1764708049, + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:40:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:41:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "b+I4ILlmzjDOys3WfLmCvg==:3:61:140", + "_insert_time": "Dec 02 2025 14:42:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "confidence": 70, + "context_timestamp": "Dec 02 2025 14:40:49", + "crawled_timestamp": "2025-12-02T20:41:51.692057994Z", + "created_timestamp": "2025-12-02T20:41:51.692051131Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "occurred": "Dec 02 2025 14:41:51", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSjm1d6pMA_-sK0FXoPHbhwAATiHOoqajHTXhMY4ItoEg6hpupjuKOP_rSzCCbGhl5AtFEw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "confidence": 70, + "context_timestamp": "2025-12-02T20:40:49.317Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "crawled_timestamp": "2025-12-02T20:41:51.692057994Z", + "created_timestamp": "2025-12-02T20:41:51.692051131Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "c0085ba5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "4416", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSjm1d6pMA_-sK0FXoPHbhwAATiHOoqajHTXhMY4ItoEg6hpupjuKOP_rSzCCbGhl5AtFEw==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_end_time": "1764708049", + "process_id": "27484237284", + "process_start_time": "1764708048", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T20:40:50.153Z", + "tree_id": "4298427445", + "tree_root": "27484237284", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.308257717Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:40:50", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:55.308257717Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4298427445", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:41:33Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27484237284-5733-3781136", + "local_prevalence": "unique", + "local_process_id": 4416, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 27484237284, + "process_start_time": 1764708048, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4298427445, + "tree_root": 27484237284, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27484237284", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "c0085ba5-becf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27486041955" + ], + "process_end_time": 1764708049, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764708049" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:50:02", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "iditMOZ4CAFCz+HPmJvFHg==:0:61:140", + "_insert_time": "Dec 02 2025 14:50:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4299402813", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "confidence": 70, + "context_timestamp": "Dec 02 2025 14:48:57", + "crawled_timestamp": "2025-12-02T20:49:59.861858889Z", + "created_timestamp": "2025-12-02T20:49:59.861821188Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "occurred": "Dec 02 2025 14:49:59", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6yQ9MO-4DEmB54hu-jik2wAATiFe8bLZ6mr-nS9iA7iU_VuY8mzk3RLLne76-eNeWqD-yg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4299402813", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "confidence": 70, + "context_timestamp": "2025-12-02T20:48:57.036Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4299402813", + "crawled_timestamp": "2025-12-02T20:49:59.861858889Z", + "created_timestamp": "2025-12-02T20:49:59.861821188Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:47:28Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "df6475c3-bfcf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:48:57Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "3368", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9279649300", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6yQ9MO-4DEmB54hu-jik2wAATiFe8bLZ6mr-nS9iA7iU_VuY8mzk3RLLne76-eNeWqD-yg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_id": "27571043173", + "process_start_time": "1764708536", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T20:48:57.814Z", + "tree_id": "4299402813", + "tree_root": "27571043173", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27571043173", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:50:02.334211544Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:48:57", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:50:02.334211544Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4299402813", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:47:28Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27571043173-5702-4449040", + "local_prevalence": "unique", + "local_process_id": 3368, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_id": 27571043173, + "process_start_time": 1764708536, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4299402813, + "tree_root": 27571043173, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27571043173", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "df6475c3-bfcf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 9279649300, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "8956", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9279649300", + "process_id": "9279649300", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-01T23:12:34.840Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T20:48:57Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 15:26:54", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "c7ng3+TCPsjgj8I6iwsDvQ==:0:61:140", + "_insert_time": "Dec 02 2025 15:27:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4300882244", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "confidence": 70, + "context_timestamp": "Dec 02 2025 15:25:49", + "crawled_timestamp": "2025-12-02T21:26:52.486450694Z", + "created_timestamp": "2025-12-02T21:26:52.486441253Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "occurred": "Dec 02 2025 15:26:52", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIJT5fnJu7KwoJVc3-PBdtQAATiFNPVe1BVZx6MbVsjq9dmNOEQgPlK7foCr0ePE4LCEPVg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4300882244", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "confidence": 70, + "context_timestamp": "2025-12-02T21:25:49.642Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4300882244", + "crawled_timestamp": "2025-12-02T21:26:52.486450694Z", + "created_timestamp": "2025-12-02T21:26:52.486441253Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T21:12:56Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T21:25:20Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "111577f1-c4cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10340", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27660807801", + "process_id": "27660807801", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T21:22:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T21:25:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "5964", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "10092", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27661539464", + "process_id": "27661539464", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T21:22:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27661539464", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIJT5fnJu7KwoJVc3-PBdtQAATiFNPVe1BVZx6MbVsjq9dmNOEQgPlK7foCr0ePE4LCEPVg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": "27745990317", + "process_start_time": "1764710749", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T21:25:50.451Z", + "tree_id": "4300882244", + "tree_root": "27745990317", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27745990317", + "type": "ldt", + "updated_timestamp": "2025-12-02T21:26:54.354948325Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 15:25:50", + "type": "ldt", + "updated_timestamp": "2025-12-02T21:26:54.354948325Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4300882244", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T21:12:56Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T21:25:20Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27745990317-5702-5277712", + "local_prevalence": "unique", + "local_process_id": 5964, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": 27745990317, + "process_start_time": 1764710749, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4300882244, + "tree_root": 27745990317, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27745990317", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "111577f1-c4cf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 27661539464, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "10092", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27661539464", + "process_id": "27661539464", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T21:22:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10340", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27660807801", + "process_id": "27660807801", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T21:22:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T19:54:38Z", + "end": "2025-12-02T21:25:49Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:a22d7eac96f041dd8b0adec44aa6b5dd", + "score": "22.811097154528298", + "start": "2025-12-02T19:54:38Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:21:12", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "Osu8t4d/hE4Xm+2ZERjeyA==:1:61:140", + "_insert_time": "Dec 02 2025 16:21:46", + "_name": "StartupFolderPersistence", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "confidence": 80, + "context_timestamp": "Dec 02 2025 16:20:06", + "crawled_timestamp": "2025-12-02T22:21:09.105617952Z", + "created_timestamp": "2025-12-02T22:21:09.105603619Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "display_name": "StartupFolderPersistence", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "occurred": "Dec 02 2025 16:21:09", + "pattern_id": 10500, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-2UEvlBMjeOEFflBvU5_zwAATiHaEJYZZqIVuJAnKhPBbmJr_a-ttrQ212ju2tv1c2kU9A==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "confidence": 80, + "context_timestamp": "2025-12-02T22:20:06.901Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "crawled_timestamp": "2025-12-02T22:21:09.105617952Z", + "created_timestamp": "2025-12-02T22:21:09.105603619Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StartupFolderPersistence", + "email_sent": true, + "event_correlation_id": "e3d59e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "3848", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "StartupFolderPersistence", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 4096, + "pattern_disposition_description": "Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10500, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-2UEvlBMjeOEFflBvU5_zwAATiHaEJYZZqIVuJAnKhPBbmJr_a-ttrQ212ju2tv1c2kU9A==", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_end_time": "1764714006", + "process_id": "27952425358", + "process_start_time": "1764714006", + "product": "epp", + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "template_instance_id": "14700", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "timestamp": "2025-12-02T22:20:07.355Z", + "tree_id": "4302052203", + "tree_root": "27952425358", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.598118483Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:20:07", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.598118483Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946128", + "local_prevalence": "unique", + "local_process_id": 3848, + "logon_domain": "SKT", + "pattern_disposition": 4096, + "pattern_disposition_description": "Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_id": 27952425358, + "process_start_time": 1764714006, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4302052203, + "tree_root": 27952425358, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "e3d59e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "process_end_time": 1764714006, + "incident": "", + "template_instance_id": 14700, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:21:12", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "Osu8t4d/hE4Xm+2ZERjeyA==:2:61:140", + "_insert_time": "Dec 02 2025 16:21:46", + "_name": "StartupFolderPersistence", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "confidence": 80, + "context_timestamp": "Dec 02 2025 16:20:06", + "crawled_timestamp": "2025-12-02T22:21:09.110840016Z", + "created_timestamp": "2025-12-02T22:21:09.110829786Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "display_name": "StartupFolderPersistence", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "occurred": "Dec 02 2025 16:21:09", + "pattern_id": 10500, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDUssr4KZjvmIXnQ710uqRgAATiFEsZcy3vX9G9HrfEl1jlcnb5bvRjcKtjv8IxpNZuooTA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "confidence": 80, + "context_timestamp": "2025-12-02T22:20:06.917Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "crawled_timestamp": "2025-12-02T22:21:09.110840016Z", + "created_timestamp": "2025-12-02T22:21:09.110829786Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StartupFolderPersistence", + "email_sent": true, + "event_correlation_id": "e3d59e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "3848", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "StartupFolderPersistence", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 4112, + "pattern_disposition_description": "Kill Process + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10500, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxDUssr4KZjvmIXnQ710uqRgAATiFEsZcy3vX9G9HrfEl1jlcnb5bvRjcKtjv8IxpNZuooTA==", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_end_time": "1764714006", + "process_id": "27952425358", + "process_start_time": "1764714006", + "product": "epp", + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "template_instance_id": "14700", + "timestamp": "2025-12-02T22:20:07.355Z", + "tree_id": "4302052203", + "tree_root": "27952425358", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.581656716Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:20:07", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.581656716Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-10500-5946640", + "local_prevalence": "unique", + "local_process_id": 3848, + "logon_domain": "SKT", + "pattern_disposition": 4112, + "pattern_disposition_description": "Kill Process + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 43 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: registry operation blocked" + ], + "priority_value": 43, + "process_id": 27952425358, + "process_start_time": 1764714006, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4302052203, + "tree_root": 27952425358, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "e3d59e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "process_end_time": 1764714006, + "incident": "", + "template_instance_id": 14700, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:21:12", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "Osu8t4d/hE4Xm+2ZERjeyA==:0:61:140", + "_insert_time": "Dec 02 2025 16:21:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:20:06", + "crawled_timestamp": "2025-12-02T22:21:09.097939564Z", + "created_timestamp": "2025-12-02T22:21:09.097932636Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "occurred": "Dec 02 2025 16:21:09", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxhR1gWE7yFDACW_jgh6uGJAAATiEJH5Tumesdspz56SwySPYTM_Sqywdjs8RIjXnOnqzq-g==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "confidence": 70, + "context_timestamp": "2025-12-02T22:20:06.558Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "crawled_timestamp": "2025-12-02T22:21:09.097939564Z", + "created_timestamp": "2025-12-02T22:21:09.097932636Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "8ad59e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "unique", + "local_process_id": "3848", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxhR1gWE7yFDACW_jgh6uGJAAATiEJH5Tumesdspz56SwySPYTM_Sqywdjs8RIjXnOnqzq-g==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_end_time": "1764714006", + "process_id": "27952425358", + "process_start_time": "1764714006", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:20:07.281Z", + "tree_id": "4302052203", + "tree_root": "27952425358", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.642119125Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:20:07", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.642119125Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5702-5943568", + "local_prevalence": "unique", + "local_process_id": 3848, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": 27952425358, + "process_start_time": 1764714006, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4302052203, + "tree_root": 27952425358, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "8ad59e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "process_end_time": 1764714006, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:21:12", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "Osu8t4d/hE4Xm+2ZERjeyA==:3:61:140", + "_insert_time": "Dec 02 2025 16:21:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:20:06", + "crawled_timestamp": "2025-12-02T22:21:09.113211779Z", + "created_timestamp": "2025-12-02T22:21:09.113197932Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "occurred": "Dec 02 2025 16:21:09", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx3lQMzyYUsyxd4a5uFPCZsAAATiG700D-wt6UgY7lf3fEMNYlsmWR_WOH9BJ7GWC37VOxGg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "confidence": 70, + "context_timestamp": "2025-12-02T22:20:06.980Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "crawled_timestamp": "2025-12-02T22:21:09.113211779Z", + "created_timestamp": "2025-12-02T22:21:09.113197932Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "e9d59e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "3848", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx3lQMzyYUsyxd4a5uFPCZsAAATiG700D-wt6UgY7lf3fEMNYlsmWR_WOH9BJ7GWC37VOxGg==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_end_time": "1764714006", + "process_id": "27952425358", + "process_start_time": "1764714006", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:20:07.355Z", + "tree_id": "4302052203", + "tree_root": "27952425358", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.582920422Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:20:07", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:21:12.582920422Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4302052203", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:18:54Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27952425358-5733-5947920", + "local_prevalence": "unique", + "local_process_id": 3848, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 27952425358, + "process_start_time": 1764714006, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4302052203, + "tree_root": 27952425358, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27952425358", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "e9d59e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:20:22Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27953323653" + ], + "process_end_time": 1764714006, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714007" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:31:26", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "vxQN+vvEl33qk34tB5nIOQ==:0:61:140", + "_insert_time": "Dec 02 2025 16:31:46", + "_name": "StartupFolderPersistence", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "confidence": 80, + "context_timestamp": "Dec 02 2025 16:30:21", + "crawled_timestamp": "2025-12-02T22:31:23.622029454Z", + "created_timestamp": "2025-12-02T22:31:23.622020126Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "display_name": "StartupFolderPersistence", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "occurred": "Dec 02 2025 16:31:23", + "pattern_id": 10500, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxI3ScuLrZc4SrFb-b9snDAgAATiFfX75hTp2Xfg2KNlPRHIeDPvW9LnxmPt1ljS-Rh0973A==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "confidence": 80, + "context_timestamp": "2025-12-02T22:30:21.599Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "crawled_timestamp": "2025-12-02T22:31:23.622029454Z", + "created_timestamp": "2025-12-02T22:31:23.622020126Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process copied a suspicious file to the startup folder that might indicate a malicious persistence mechanism. Investigate the process tree and the file dropped.", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StartupFolderPersistence", + "email_sent": true, + "event_correlation_id": "e9de9e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "10648", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 10500, + "tactic_id": "TA0003", + "technique_id": "T1547", + "tactic": "Persistence", + "technique": "Boot or Logon Autostart Execution" + } + ], + "name": "StartupFolderPersistence", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 4368, + "pattern_disposition_description": "Kill Process + Policy Disabled + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10500, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxI3ScuLrZc4SrFb-b9snDAgAATiFfX75hTp2Xfg2KNlPRHIeDPvW9LnxmPt1ljS-Rh0973A==", + "priority_details": { + "raw_value": 68 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted registry operation block, but no prevention occurred" + ], + "priority_value": 68, + "process_end_time": "1764714621", + "process_id": "27985041744", + "process_start_time": "1764714621", + "product": "epp", + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "template_instance_id": "14700", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "timestamp": "2025-12-02T22:30:21.967Z", + "tree_id": "4303327717", + "tree_root": "27985041744", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.956171782Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "establish_persistence", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:30:21", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.956171782Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Persistence", + "tactic_id": "TA0003", + "technique": "Boot or Logon Autostart Execution", + "technique_id": "T1547", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-10500-6046736", + "local_prevalence": "unique", + "local_process_id": 10648, + "logon_domain": "SKT", + "pattern_disposition": 4368, + "pattern_disposition_description": "Kill Process + Policy Disabled + Registry Operation Blocked", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": true, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 68 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted registry operation block, but no prevention occurred" + ], + "priority_value": 68, + "process_id": 27985041744, + "process_start_time": 1764714621, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4303327717, + "tree_root": 27985041744, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "e9de9e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "process_end_time": 1764714621, + "incident": "", + "template_instance_id": 14700, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": { + "reg_object_name": "\\REGISTRY\\USER\\S-1-5-21-4168186624-547105363-3065826963-1111\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", + "reg_operation_type": 1, + "reg_string_value": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe,C:\\Windows\\explorer.exe", + "reg_type": 1, + "reg_value_name": "Shell" + }, + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": 28, + "template_interface_name": "RegistryValueModifiedUIContext", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:31:26", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "vxQN+vvEl33qk34tB5nIOQ==:1:61:140", + "_insert_time": "Dec 02 2025 16:31:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:30:21", + "crawled_timestamp": "2025-12-02T22:31:23.625316962Z", + "created_timestamp": "2025-12-02T22:31:23.625309375Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "occurred": "Dec 02 2025 16:31:23", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIq1mxE7BjMNg-lEeNbP9gAAATiEEc6dosO6rmfwRCyTNRGOLKk9QzdCqR5oQ7qiFyhpWvA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "confidence": 70, + "context_timestamp": "2025-12-02T22:30:21.286Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "crawled_timestamp": "2025-12-02T22:31:23.625316962Z", + "created_timestamp": "2025-12-02T22:31:23.625309375Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "8bde9e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "unique", + "local_process_id": "10648", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIq1mxE7BjMNg-lEeNbP9gAAATiEEc6dosO6rmfwRCyTNRGOLKk9QzdCqR5oQ7qiFyhpWvA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_end_time": "1764714621", + "process_id": "27985041744", + "process_start_time": "1764714621", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:30:21.967Z", + "tree_id": "4303327717", + "tree_root": "27985041744", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.957908389Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:30:21", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.957908389Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5702-6043920", + "local_prevalence": "unique", + "local_process_id": 10648, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": 27985041744, + "process_start_time": 1764714621, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4303327717, + "tree_root": 27985041744, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "8bde9e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "process_end_time": 1764714621, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:31:26", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "vxQN+vvEl33qk34tB5nIOQ==:2:61:140", + "_insert_time": "Dec 02 2025 16:31:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:30:21", + "crawled_timestamp": "2025-12-02T22:31:23.665679933Z", + "created_timestamp": "2025-12-02T22:31:23.665670682Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "occurred": "Dec 02 2025 16:31:23", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxNjfka0PyQ7oxi_Qxzr1iTQAATiFibhidzDx0KKlmJ0mbNaZwQHQJEZF8UfacKpyjhYmWPA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "confidence": 70, + "context_timestamp": "2025-12-02T22:30:21.646Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "crawled_timestamp": "2025-12-02T22:31:23.665679933Z", + "created_timestamp": "2025-12-02T22:31:23.665670682Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "f8de9e7a-cacf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "10648", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "27855411189", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxNjfka0PyQ7oxi_Qxzr1iTQAATiFibhidzDx0KKlmJ0mbNaZwQHQJEZF8UfacKpyjhYmWPA==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_end_time": "1764714621", + "process_id": "27985041744", + "process_start_time": "1764714621", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:30:22.531Z", + "tree_id": "4303327717", + "tree_root": "27985041744", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.948600273Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:30:22", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:31:26.948600273Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\Downloads\\NTFVersion.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4303327717", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:30:01Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:27985041744-5733-6048016", + "local_prevalence": "unique", + "local_process_id": 10648, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 27985041744, + "process_start_time": 1764714621, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4303327717, + "tree_root": 27985041744, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27985041744", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "f8de9e7a-cacf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 27855411189, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "9476", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27855411189", + "process_id": "27855411189", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:30:52Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "10272", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:27853958188", + "process_id": "27853958188", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:20:35Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:27986025125" + ], + "process_end_time": 1764714621, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp", + "timestamp": "1764714621" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:34:13", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "XxM2d93EOXRr2C0abs3oOA==:0:61:140", + "_insert_time": "Dec 02 2025 16:34:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4304228963", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:33:09", + "crawled_timestamp": "2025-12-02T22:34:12.536825048Z", + "created_timestamp": "2025-12-02T22:34:12.536813662Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "occurred": "Dec 02 2025 16:34:12", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxledcYOsuVHHQTVn4qjdQ_AAATiHGNyz-0du6mF6H4a7Ayc60_0ULHk9ZwBn1dKPrvA4uVA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4304228963", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "confidence": 70, + "context_timestamp": "2025-12-02T22:33:09.601Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4304228963", + "crawled_timestamp": "2025-12-02T22:34:12.536825048Z", + "created_timestamp": "2025-12-02T22:34:12.536813662Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:31:46Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "3e06cedf-cecf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "8320", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28024057841", + "process_id": "28024057841", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T22:33:05Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "8552", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "28041027043", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxledcYOsuVHHQTVn4qjdQ_AAATiHGNyz-0du6mF6H4a7Ayc60_0ULHk9ZwBn1dKPrvA4uVA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: userinit.exe", + "[MOD] The grandparent process was identified as: winlogon.exe" + ], + "priority_value": 99, + "process_id": "28042574715", + "process_start_time": "1764714789", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:33:10.487Z", + "tree_id": "4304228963", + "tree_root": "28042574715", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28042574715", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:34:13.633234078Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:33:10", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:34:13.633234078Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4304228963", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:12:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:31:46Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28042574715-5702-6147088", + "local_prevalence": "unique", + "local_process_id": 8552, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: userinit.exe", + "[MOD] The grandparent process was identified as: winlogon.exe" + ], + "priority_value": 99, + "process_id": 28042574715, + "process_start_time": 1764714789, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4304228963, + "tree_root": 28042574715, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28042574715", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "3e06cedf-cecf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 28041027043, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "8320", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28024057841", + "process_id": "28024057841", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T22:33:05Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:41:22", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "gZW62uq/fTxMvqoueTA5tg==:0:61:140", + "_insert_time": "Dec 02 2025 16:41:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4304929352", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:40:16", + "crawled_timestamp": "2025-12-02T22:41:19.436593988Z", + "created_timestamp": "2025-12-02T22:41:19.436587196Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "occurred": "Dec 02 2025 16:41:19", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx9i0eCODiJFexjO-CowibAwAATiGlg-jNZZvQDtHNXl9mfjzityAo4iV5tmV76GYj8xqGvQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4304929352", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "confidence": 70, + "context_timestamp": "2025-12-02T22:40:16.577Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4304929352", + "crawled_timestamp": "2025-12-02T22:41:19.436593988Z", + "created_timestamp": "2025-12-02T22:41:19.436587196Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:37:31Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "0129cedf-cecf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "8864", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "28043872303", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx9i0eCODiJFexjO-CowibAwAATiGlg-jNZZvQDtHNXl9mfjzityAo4iV5tmV76GYj8xqGvQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": "28130656306", + "process_start_time": "1764715216", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:40:17.389Z", + "tree_id": "4304929352", + "tree_root": "28130656306", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28130656306", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:41:22.415460274Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:40:17", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:41:22.415460274Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4304929352", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:37:31Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28130656306-5702-6462224", + "local_prevalence": "unique", + "local_process_id": 8864, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": 28130656306, + "process_start_time": 1764715216, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4304929352, + "tree_root": 28130656306, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28130656306", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "0129cedf-cecf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 28043872303, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:54:24", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zTSK+FRiIOiqtKUSw2ujtQ==:0:61:140", + "_insert_time": "Dec 02 2025 16:54:46", + "_name": "MaliciousInjection", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "confidence": 80, + "context_timestamp": "Dec 02 2025 16:53:16", + "crawled_timestamp": "2025-12-02T22:54:20.82989997Z", + "created_timestamp": "2025-12-02T22:54:18.605789919Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee.", + "display_name": "MaliciousInjection", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10133, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "occurred": "Dec 02 2025 16:54:18", + "pattern_id": 10133, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxb7AgqpwKY8z5O83cabv_WQAATiH_bVxgEU32CZddOWAWW9hl9lFKklJDrOmlx_sh3DUgYA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "confidence": 80, + "context_timestamp": "2025-12-02T22:53:16.240Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "crawled_timestamp": "2025-12-02T22:54:20.82989997Z", + "created_timestamp": "2025-12-02T22:54:18.605789919Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:51:38Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousInjection", + "email_sent": true, + "event_correlation_id": "c43b4872-d0cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "unique", + "local_process_id": "10624", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 10133, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "MaliciousInjection", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "28043872303", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10133, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxb7AgqpwKY8z5O83cabv_WQAATiH_bVxgEU32CZddOWAWW9hl9lFKklJDrOmlx_sh3DUgYA==", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 62, + "process_end_time": "1764715996", + "process_id": "28149163953", + "process_start_time": "1764715875", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "template_instance_id": "4799", + "timestamp": "2025-12-02T22:53:17.311Z", + "tree_id": "4306335106", + "tree_root": "28149163953", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28149163953", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:54:24.006924586Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-500", + "user_name": "adminuser", + "user_principal": "adminuser@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:53:17", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:54:24.006924586Z", + "user_name": "adminuser", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:51:38Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-10133-6493968", + "local_prevalence": "unique", + "local_process_id": 10624, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 62, + "process_id": 28149163953, + "process_start_time": 1764715875, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4306335106, + "tree_root": 28149163953, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28149163953", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-500", + "email_sent": "true", + "event_correlation_id": "c43b4872-d0cf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 28043872303, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "adminuser@skt.local", + "child_process_ids": "", + "process_end_time": 1764715996, + "incident": "", + "template_instance_id": 4799, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 16:52:23", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "AyLER/yPXXSUW/WoRnbPOg==:0:61:140", + "_insert_time": "Dec 02 2025 16:52:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "confidence": 70, + "context_timestamp": "Dec 02 2025 16:51:16", + "crawled_timestamp": "2025-12-02T22:52:19.019620305Z", + "created_timestamp": "2025-12-02T22:52:19.019608954Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "occurred": "Dec 02 2025 16:52:19", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxe3ysdjAvLlqKbsbKk46ayQAATiFbxQXR2COdR-8vjYaaChK7m4dtPjRS_8utRTv9_yfGBw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "confidence": 70, + "context_timestamp": "2025-12-02T22:51:16.134Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "crawled_timestamp": "2025-12-02T22:52:19.019620305Z", + "created_timestamp": "2025-12-02T22:52:19.019608954Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:51:38Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "c83a4872-d0cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "10624", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "28043872303", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxe3ysdjAvLlqKbsbKk46ayQAATiFbxQXR2COdR-8vjYaaChK7m4dtPjRS_8utRTv9_yfGBw==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": "28149163953", + "process_start_time": "1764715875", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T22:51:16.896Z", + "tree_id": "4306335106", + "tree_root": "28149163953", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28149163953", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:52:23.683154868Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-500", + "user_name": "adminuser", + "user_principal": "adminuser@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 16:51:16", + "type": "ldt", + "updated_timestamp": "2025-12-02T22:52:23.683154868Z", + "user_name": "adminuser", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe\"", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4306335106", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T22:32:49Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T22:51:38Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:28149163953-5702-6487312", + "local_prevalence": "unique", + "local_process_id": 10624, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 99, + "process_id": 28149163953, + "process_start_time": 1764715875, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 4306335106, + "tree_root": 28149163953, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28149163953", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-500", + "email_sent": "true", + "event_correlation_id": "c83a4872-d0cf-f011-9bdd-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 28043872303, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "6808", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28043872303", + "process_id": "28043872303", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T22:40:33Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7636", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:28041027043", + "process_id": "28041027043", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T22:33:38Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "adminuser@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:21:47", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "mgBkp7q7Cv0d3jUCBvZqQQ==:0:61:140", + "_insert_time": "Dec 02 2025 17:22:46", + "_name": "UnusualLocInjectSysProc", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8593502790", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:20:43", + "crawled_timestamp": "2025-12-02T23:21:45.824822827Z", + "created_timestamp": "2025-12-02T23:21:45.824815644Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process, launched from an unusual location, injected into a system process. Malware often moves laterally among benign system processes to evade detection. Investigate both the injector and injectee process trees.", + "display_name": "UnusualLocInjectSysProc", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10244, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "occurred": "Dec 02 2025 17:21:45", + "pattern_id": 10244, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkip0vT4kwhtKQuU3Z3sg_wAATiGLFdSYGgjqGEs0XoBV8PyEsx955wC3lXlCgQPxMeP7qg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8593502790", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30165081467", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30179360209", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30157192512", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30217267335", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30252237977", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30253350374", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30273750263", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30280184743", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30281464149", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30284866441", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30285878077", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30286994814", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30290272712", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30293144248", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30293796626", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30294509502", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30295866205", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30298529311", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30288381907", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30301106619", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30301757147", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30308296067", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30309901161", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30311174203", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30322658310", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30319869499", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30327945722", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30333956404", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30335342545", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30334805527", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30355922869", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30376406026", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30393910379", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30402243581", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30400820545", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30403653781", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30399665193", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30403170796", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30398489827", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30405309624", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30406088714", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30407422252", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30409733561", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30412332315", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30410231397", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30410827930", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30428128985", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30444064645", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30454214289", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30460569556" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "confidence": 80, + "context_timestamp": "2025-12-02T23:20:43.214Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8593502790", + "crawled_timestamp": "2025-12-02T23:21:45.824822827Z", + "created_timestamp": "2025-12-02T23:21:45.824815644Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process, launched from an unusual location, injected into a system process. Malware often moves laterally among benign system processes to evade detection. Investigate both the injector and injectee process trees.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "UnusualLocInjectSysProc", + "email_sent": true, + "event_correlation_id": "ec48807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "620", + "logon_domain": "SKT", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 10244, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "UnusualLocInjectSysProc", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30075467319", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10244, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkip0vT4kwhtKQuU3Z3sg_wAATiGLFdSYGgjqGEs0XoBV8PyEsx955wC3lXlCgQPxMeP7qg==", + "priority_details": { + "raw_value": 70 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 70, + "process_id": "30078317628", + "process_start_time": "1764716619", + "product": "epp", + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "template_instance_id": "595", + "timestamp": "2025-12-02T23:20:43.82Z", + "tree_id": "8593502790", + "tree_root": "30078317628", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30078317628", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.713066536Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:20:43", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.713066536Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8593502790", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30078317628-10244-1352208", + "local_prevalence": "common", + "local_process_id": 620, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 70 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 70, + "process_id": 30078317628, + "process_start_time": 1764716619, + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "tree_id": 8593502790, + "tree_root": 30078317628, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30078317628", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ec48807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 30075467319, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30165081467", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30179360209", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30157192512", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30217267335", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30252237977", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30253350374", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30273750263", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30280184743", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30281464149", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30284866441", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30285878077", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30286994814", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30290272712", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30293144248", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30293796626", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30294509502", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30295866205", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30298529311", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30288381907", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30301106619", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30301757147", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30308296067", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30309901161", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30311174203", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30322658310", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30319869499", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30327945722", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30333956404", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30335342545", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30334805527", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30355922869", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30376406026", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30393910379", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30402243581", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30400820545", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30403653781", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30399665193", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30403170796", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30398489827", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30405309624", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30406088714", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30407422252", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30409733561", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30412332315", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30410231397", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30410827930", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30428128985", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30444064645", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30454214289", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30460569556" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 595, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:21:47", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "mgBkp7q7Cv0d3jUCBvZqQQ==:1:61:140", + "_insert_time": "Dec 02 2025 17:22:46", + "_name": "GenericStandardAppLayerProtocolC2", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:20:43", + "crawled_timestamp": "2025-12-02T23:21:47.700479159Z", + "created_timestamp": "2025-12-02T23:21:45.828161858Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "display_name": "StandardAppLayerProtocolC2", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "occurred": "Dec 02 2025 17:21:45", + "pattern_id": 10352, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxrIBmD_gYtLzknU2sgTX1ogAATiHj-XqfjYbEROWq69D1parb0W09Egj71GSfQuHZuW-zXw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "confidence": 80, + "context_timestamp": "2025-12-02T23:20:43.433Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:21:47.700479159Z", + "created_timestamp": "2025-12-02T23:21:45.828161858Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StandardAppLayerProtocolC2", + "email_sent": true, + "event_correlation_id": "1049807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "1088", + "logon_domain": "SKT", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "GenericStandardAppLayerProtocolC2", + "network_accesses": [ + { + "access_timestamp": "1764717644", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30075467319", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10352, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxrIBmD_gYtLzknU2sgTX1ogAATiHj-XqfjYbEROWq69D1parb0W09Egj71GSfQuHZuW-zXw==", + "priority_details": { + "raw_value": 64 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 64, + "process_id": "30082198673", + "process_start_time": "1764716619", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "template_instance_id": "14701", + "timestamp": "2025-12-02T23:20:44.331Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.700472507Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:20:44", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.700472507Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-10352-1356816", + "local_prevalence": "common", + "local_process_id": 1088, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 64 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 64, + "process_id": 30082198673, + "process_start_time": 1764716619, + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "1049807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 30075467319, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14701, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764717644", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:27:36", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "anWhyYA+7WnCIen4QPveGg==:0:61:140", + "_insert_time": "Dec 02 2025 17:27:46", + "_name": "OnWrite-PrewittSensorDetect-Low", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "confidence": 30, + "context_timestamp": "Dec 02 2025 17:26:30", + "crawled_timestamp": "2025-12-02T23:27:33.039921501Z", + "created_timestamp": "2025-12-02T23:27:33.039914072Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "display_name": "OnWrite-PrewittSensorDetect-Low", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "occurred": "Dec 02 2025 17:27:33", + "pattern_id": 5743, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYF5FF0GVqxRWOJiaxzew5AAATiExr5_XT_q-fxFnhyqqcCT8MafNTArQkrfbz-wnClNUQw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a" + } + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "confidence": 30, + "context_timestamp": "2025-12-02T23:26:30.885Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:27:33.039921501Z", + "created_timestamp": "2025-12-02T23:27:33.039914072Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:22:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "OnWrite-PrewittSensorDetect-Low", + "email_sent": true, + "event_correlation_id": "031de6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "files_written": [ + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764717990" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "local_prevalence": "common", + "local_process_id": "1088", + "logon_domain": "SKT", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-Low", + "network_accesses": [ + { + "access_timestamp": "1764717644", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30075467319", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5743, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYF5FF0GVqxRWOJiaxzew5AAATiExr5_XT_q-fxFnhyqqcCT8MafNTArQkrfbz-wnClNUQw==", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": "30082198673", + "process_start_time": "1764716619", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:26:31.249Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:27:36.293951888Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:26:31", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:27:36.293951888Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:22:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1585424", + "local_prevalence": "common", + "local_process_id": 1088, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": 30082198673, + "process_start_time": 1764716619, + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "031de6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 30075467319, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764717990" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764717644", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:32:08", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "dr+n64pZbgsuWkls04zA0w==:0:61:140", + "_insert_time": "Dec 02 2025 17:32:46", + "_name": "OnWrite-PrewittSensorDetect-Low", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "confidence": 30, + "context_timestamp": "Dec 02 2025 17:31:04", + "crawled_timestamp": "2025-12-02T23:32:06.496790267Z", + "created_timestamp": "2025-12-02T23:32:06.496780274Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "display_name": "OnWrite-PrewittSensorDetect-Low", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "occurred": "Dec 02 2025 17:32:06", + "pattern_id": 5743, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxg9Q7bmQdBrJ8Y7wavTt95AAATiHNXMiVz3WxfAxkziSZFiWyZNfn8ktR-OmtM8zJv0gylw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30519053932", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "confidence": 30, + "context_timestamp": "2025-12-02T23:31:04.262Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:32:06.496790267Z", + "created_timestamp": "2025-12-02T23:32:06.496780274Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "OnWrite-PrewittSensorDetect-Low", + "email_sent": true, + "event_correlation_id": "aa26e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "files_written": [ + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764717990" + }, + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718263" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "ioc_context": [], + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "local_prevalence": "common", + "local_process_id": "1088", + "logon_domain": "SKT", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-Low", + "network_accesses": [ + { + "access_timestamp": "1764717991", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30075467319", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5743, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxg9Q7bmQdBrJ8Y7wavTt95AAATiHNXMiVz3WxfAxkziSZFiWyZNfn8ktR-OmtM8zJv0gylw==", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": "30082198673", + "process_start_time": "1764716619", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:31:04.577Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:32:08.43434286Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:31:04", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:32:08.43434286Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30082198673-5743-1776400", + "local_prevalence": "common", + "local_process_id": 1088, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": 30082198673, + "process_start_time": 1764716619, + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "aa26e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 30075467319, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30519053932", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764717990" + }, + { + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718263" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764717991", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50238", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:07:38", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "+FEyiELTDbeLL57ZufLJjg==:1:61:140", + "_insert_time": "Dec 02 2025 17:07:46", + "_name": "MaliciousInjection", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:06:33", + "crawled_timestamp": "2025-12-02T23:07:36.779089117Z", + "created_timestamp": "2025-12-02T23:07:36.779072375Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee.", + "display_name": "MaliciousInjection", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10133, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "occurred": "Dec 02 2025 17:07:36", + "pattern_id": 10133, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHdlVxfe-5L3LEVxrcwmGcAAATiGhWJfs0nGU6GfE-_lspyssjMyEckzAH-IjTpeRjuEfmw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "confidence": 80, + "context_timestamp": "2025-12-02T23:06:33.814Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "crawled_timestamp": "2025-12-02T23:07:36.779089117Z", + "created_timestamp": "2025-12-02T23:07:36.779072375Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process injected into another process in an unusual way. Investigate the process trees for the injector and injectee.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:06:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousInjection", + "email_sent": true, + "event_correlation_id": "c229807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:07:34Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "26.37161789378807", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "7536", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 10133, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "MaliciousInjection", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30266885887", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10133, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHdlVxfe-5L3LEVxrcwmGcAAATiGhWJfs0nGU6GfE-_lspyssjMyEckzAH-IjTpeRjuEfmw==", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 62, + "process_end_time": "1764716794", + "process_id": "30269070036", + "process_start_time": "1764716673", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "template_instance_id": "4799", + "timestamp": "2025-12-02T23:06:34.446Z", + "tree_id": "8590545658", + "tree_root": "30269070036", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269070036", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:07:38.604269851Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:06:34", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:07:38.604269851Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:06:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-10133-775952", + "local_prevalence": "unique", + "local_process_id": 7536, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 62, + "process_id": 30269070036, + "process_start_time": 1764716673, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 8590545658, + "tree_root": 30269070036, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269070036", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "c229807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 30266885887, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": 1764716794, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:07:34Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "26.37161789378807", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 4799, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:05:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "l+XaG0ZTSjLrKoy8hQuZAg==:0:61:140", + "_insert_time": "Dec 02 2025 17:05:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:04:33", + "crawled_timestamp": "2025-12-02T23:05:36.082550829Z", + "created_timestamp": "2025-12-02T23:05:36.082544315Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "occurred": "Dec 02 2025 17:05:36", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxAFzp3FL1xzMCCLAUdkq53AAATiFDxt0EWGYsHDcWfdS-coENRUCRcNoMf2WbQnl17hIetg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "confidence": 70, + "context_timestamp": "2025-12-02T23:04:33.640Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "crawled_timestamp": "2025-12-02T23:05:36.082550829Z", + "created_timestamp": "2025-12-02T23:05:36.082544315Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:05:00Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "040c151f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "7536", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30266885887", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxAFzp3FL1xzMCCLAUdkq53AAATiFDxt0EWGYsHDcWfdS-coENRUCRcNoMf2WbQnl17hIetg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: userinit.exe", + "[MOD] The grandparent process was identified as: winlogon.exe" + ], + "priority_value": 99, + "process_id": "30269070036", + "process_start_time": "1764716673", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T23:04:34.122Z", + "tree_id": "8590545658", + "tree_root": "30269070036", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269070036", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:05:37.116712843Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:04:34", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:05:37.116712843Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8590545658", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:05:00Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269070036-5702-487696", + "local_prevalence": "unique", + "local_process_id": 7536, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: userinit.exe", + "[MOD] The grandparent process was identified as: winlogon.exe" + ], + "priority_value": 99, + "process_id": 30269070036, + "process_start_time": 1764716673, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 8590545658, + "tree_root": 30269070036, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269070036", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "040c151f-d3cf-f011-9bde-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 30266885887, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:49:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "jRoDPXDrUTlkXGvYb5OwYQ==:0:61:140", + "_insert_time": "Dec 02 2025 17:49:46", + "_name": "CloudDetect-SRTRansomware", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:48:01", + "crawled_timestamp": "2025-12-02T23:49:05.725548084Z", + "created_timestamp": "2025-12-02T23:49:03.577470658Z", + "data_domains": [ + "Endpoint" + ], + "description": "Falcon Overwatch has identified malicious activity of moderate concern. This activity has been raised for your awareness and should be investigated as normal.", + "display_name": "OverWatchAlertModerate", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 1002, + "tactic_id": "CSTA0006", + "technique_id": "CST0002", + "tactic": "Falcon Overwatch", + "technique": "Malicious Activity" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "occurred": "Dec 02 2025 17:49:03", + "pattern_id": 1002, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxhDQ2W-ii6uB5X8JVQKIHowAATiFoWJYDPzQfdE1YzL2KY5UNvPUNx6MEVd0KmTeWBQjvAw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30307421388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30328456974", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30495917630", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30303078497", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30304758158" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\explorer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "confidence": 80, + "context_timestamp": "2025-12-02T23:48:01.599Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "crawled_timestamp": "2025-12-02T23:49:05.725548084Z", + "created_timestamp": "2025-12-02T23:49:03.577470658Z", + "data_domains": [ + "Endpoint" + ], + "description": "Falcon Overwatch has identified malicious activity of moderate concern. This activity has been raised for your awareness and should be investigated as normal.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "OverWatchAlertModerate", + "email_sent": true, + "external": true, + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "files_accessed": [ + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716812" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716812" + }, + { + "filename": "thumbcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716817" + }, + { + "filename": "thumbcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716817" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716822" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716822" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716887" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716887" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716952" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716952" + } + ], + "files_written": [ + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717796" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717796" + }, + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717998" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717998" + }, + { + "filename": "windowsdefender--enablertp-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764718039" + }, + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764716744" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764716744" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "ioc_context": [], + "ioc_type": "ow_support_id", + "ioc_value": "6bbb2b36-f047-4404-b889-e258630c5094", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "7568", + "logon_domain": "SKT", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "mitre_attack": [ + { + "pattern_id": 1002, + "tactic_id": "CSTA0006", + "technique_id": "CST0002", + "tactic": "Falcon Overwatch", + "technique": "Malicious Activity" + } + ], + "name": "CloudDetect-SRTRansomware", + "network_accesses": [ + { + "access_timestamp": "1764716681", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49783", + "protocol": "TCP", + "remote_address": "150.171.27.12", + "remote_port": "443" + } + ], + "objective": "Falcon Detection Method", + "overwatch_note": "Falcon OverWatch observed suspicious activity under user account \"Gunter\". Please review detections in the UI for additional details.\n\nOverWatch highly recommends that you leverage the Prevention Policy Settings to enable detection and prevention features. For further information on the recommended prevention policy settings please refer to:\nhttps://falcon.crowdstrike.com/documentation/209/prevention-policy-settings", + "overwatch_note_timestamp": "2025-12-02T23:48:00Z", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30266885887", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 1002, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxhDQ2W-ii6uB5X8JVQKIHowAATiFoWJYDPzQfdE1YzL2KY5UNvPUNx6MEVd0KmTeWBQjvAw==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 1002: Falcon Overwatch has identified malicious activity of moderate concern. This activity has been raised for your awareness and should be investigated as normal. (Overwatch detection)" + ], + "priority_value": 93, + "process_id": "30269430413", + "process_start_time": "1764716673", + "product": "epp", + "scenario": "overwatch_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Falcon Overwatch", + "tactic_id": "CSTA0006", + "technique": "Malicious Activity", + "technique_id": "CST0002", + "timestamp": "2025-12-02T23:48:01.743Z", + "tree_id": "8596513285", + "tree_root": "30269430413", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:49:05.725532727Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "overwatch_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:48:01", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:49:05.725532727Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Falcon Overwatch", + "tactic_id": "CSTA0006", + "technique": "Malicious Activity", + "technique_id": "CST0002", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\explorer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8596513285", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30269430413-1002-2410256", + "local_prevalence": "common", + "local_process_id": 7568, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 1002: Falcon Overwatch has identified malicious activity of moderate concern. This activity has been raised for your awareness and should be investigated as normal. (Overwatch detection)" + ], + "priority_value": 93, + "process_id": 30269430413, + "process_start_time": 1764716673, + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "tree_id": 8596513285, + "tree_root": 30269430413, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "alleged_filetype": "exe", + "parent_process_id": 30266885887, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "winlogon.exe", + "filename": "winlogon.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\winlogon.exe", + "local_process_id": "6480", + "md5": "f597fa958fd63accc90cb469e7ddc2a5", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30245755835", + "process_id": "30245755835", + "sha256": "5d4d7c29121f22ef85f442df30c6046212de15958c1aa2649e2c0a4fa40dce41", + "timestamp": "2025-12-02T23:04:20Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30307421388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30328456974", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30495917630", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30303078497", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30304758158" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "ow_support_id", + "ioc_value": "6bbb2b36-f047-4404-b889-e258630c5094", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717796" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717796" + }, + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717998" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764717998" + }, + { + "filename": "windowsdefender--enablertp-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764718039" + }, + { + "filename": "windowsdefender--threat-.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764716744" + }, + { + "filename": "The Internet.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Roaming\\Microsoft\\Windows\\Recent", + "timestamp": "1764716744" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764716681", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49783", + "protocol": "TCP", + "remote_address": "150.171.27.12", + "remote_port": "443" + } + ], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "iconcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716812" + }, + { + "filename": "iconcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716812" + }, + { + "filename": "thumbcache_idx.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716817" + }, + { + "filename": "thumbcache_16.db", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Windows\\Explorer", + "timestamp": "1764716817" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716822" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716822" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716887" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716887" + }, + { + "filename": "GLEAM-LIGHT.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716952" + }, + { + "filename": "GLEAM-DARK.svg", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ShellFeeds", + "timestamp": "1764716952" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "true", + "overwatch_note": "Falcon OverWatch observed suspicious activity under user account \"Gunter\". Please review detections in the UI for additional details.\n\nOverWatch highly recommends that you leverage the Prevention Policy Settings to enable detection and prevention features. For further information on the recommended prevention policy settings please refer to:\nhttps://falcon.crowdstrike.com/documentation/209/prevention-policy-settings", + "overwatch_note_timestamp": "Dec 02 2025 17:48:00", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:11", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:6:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:32:07", + "crawled_timestamp": "2025-12-02T23:33:11.814401246Z", + "created_timestamp": "2025-12-02T23:33:09.933841929Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "occurred": "Dec 02 2025 17:33:09", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1e_3N8oJjhvzvnN3wZ0KlwAATiHtiBkmdN7O2mcGsKLBa5ESmGzHCQRwpHWHBkI1izLBwA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30418588464", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30413124423", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30430418755", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30449015987", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30455750591", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30497645340", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30498253552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30499815927", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30501622093", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30521038557" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "confidence": 80, + "context_timestamp": "2025-12-02T23:32:07.669Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-02T23:33:11.814401246Z", + "created_timestamp": "2025-12-02T23:33:09.933841929Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "email_sent": true, + "event_correlation_id": "dd27e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "index.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\CacheStorage\\3cedfb74d44f2e84198d23075aef16c34a668ceb", + "timestamp": "1764717924" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718328" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "5124", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "network_accesses": [ + { + "access_timestamp": "1764717140", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + }, + { + "access_timestamp": "1764717910", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50546", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + }, + { + "access_timestamp": "1764717910", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:8858:ce81:9be8:1c2b", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30269430413", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx1e_3N8oJjhvzvnN3wZ0KlwAATiHtiBkmdN7O2mcGsKLBa5ESmGzHCQRwpHWHBkI1izLBwA==", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": "30311220886", + "process_start_time": "1764716702", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13395", + "timestamp": "2025-12-02T23:32:08.156Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.81439249Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:08", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.81439249Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10136-1858320", + "local_prevalence": "common", + "local_process_id": 5124, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": 30311220886, + "process_start_time": 1764716702, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "dd27e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 30269430413, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30418588464", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30413124423", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30430418755", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30449015987", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30455750591", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30497645340", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30498253552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30499815927", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30501622093", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30521038557" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 13395, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764717140", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + }, + { + "access_timestamp": "1764717910", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50546", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + }, + { + "access_timestamp": "1764717910", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:8858:ce81:9be8:1c2b", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "index.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\CacheStorage\\3cedfb74d44f2e84198d23075aef16c34a668ceb", + "timestamp": "1764717924" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718328" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:07:39", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "+FEyiELTDbeLL57ZufLJjg==:0:61:140", + "_insert_time": "Dec 02 2025 17:07:46", + "_name": "GenericStandardAppLayerProtocolC2", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:06:34", + "crawled_timestamp": "2025-12-02T23:07:36.754459276Z", + "created_timestamp": "2025-12-02T23:07:36.754453907Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "display_name": "StandardAppLayerProtocolC2", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "occurred": "Dec 02 2025 17:07:36", + "pattern_id": 10352, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxfgUFJYG-KyuFAGod59Eu9gAATiH2_NMqqkdbqqKEM5rbvMs89HruEAusXxOTKDdoFu4NTg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "confidence": 80, + "context_timestamp": "2025-12-02T23:06:34.080Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-02T23:07:36.754459276Z", + "created_timestamp": "2025-12-02T23:07:36.754453907Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process attempted to communicate using a standard application layer protocol, possibly to a command and control server. Adversaries can use this to blend in with normal network traffic and evade detection. Review the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:06:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "StandardAppLayerProtocolC2", + "email_sent": true, + "event_correlation_id": "dd29807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:07:34Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "26.37161789378807", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "5124", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10352, + "tactic_id": "TA0011", + "technique_id": "T1071", + "tactic": "Command and Control", + "technique": "Application Layer Protocol" + } + ], + "name": "GenericStandardAppLayerProtocolC2", + "network_accesses": [ + { + "access_timestamp": "1764716794", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30269430413", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10352, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxfgUFJYG-KyuFAGod59Eu9gAATiH2_NMqqkdbqqKEM5rbvMs89HruEAusXxOTKDdoFu4NTg==", + "priority_details": { + "raw_value": 61 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 61, + "process_id": "30311220886", + "process_start_time": "1764716702", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "template_instance_id": "15673", + "timestamp": "2025-12-02T23:06:34.889Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:07:39.079870749Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:06:34", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:07:39.079870749Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Application Layer Protocol", + "technique_id": "T1071", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:04:55Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:06:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-10352-779024", + "local_prevalence": "common", + "local_process_id": 5124, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 61 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 61, + "process_id": 30311220886, + "process_start_time": 1764716702, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "dd29807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 30269430413, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:07:34Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "26.37161789378807", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 15673, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764716794", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + } + ], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:44:34", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "dq4x11FQJHq9qRi4cg1faQ==:0:61:140", + "_insert_time": "Dec 02 2025 17:44:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:43:29", + "crawled_timestamp": "2025-12-02T23:44:31.834204289Z", + "created_timestamp": "2025-12-02T23:44:31.834197294Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "occurred": "Dec 02 2025 17:44:31", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxZMUbXkDjUpaBQz2l3u4rMAAATiH4mhiIGXtlpCPuZQ4kMhmLVdaa4ikKUBuz8n9AOgZUUg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c" + } + ], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30499815927", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30455750591", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30497645340", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30449015987", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30498253552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30521038557", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30501622093", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30413124423", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30430418755", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30418588464", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "confidence": 70, + "context_timestamp": "2025-12-02T23:43:29.698Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "crawled_timestamp": "2025-12-02T23:44:31.834204289Z", + "created_timestamp": "2025-12-02T23:44:31.834197294Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "c139e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "index.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\CacheStorage\\3cedfb74d44f2e84198d23075aef16c34a668ceb", + "timestamp": "1764717924" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718328" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\0511", + "timestamp": "1764718428" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718448" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718468" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718488" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718508" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718528" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718548" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718568" + } + ], + "files_written": [ + { + "filename": "winsas64.bat", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764718608" + }, + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764719009" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "common", + "local_process_id": "5124", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "network_accesses": [ + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50546", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:8858:ce81:9be8:1c2b", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "30269430413", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxZMUbXkDjUpaBQz2l3u4rMAAATiH4mhiIGXtlpCPuZQ4kMhmLVdaa4ikKUBuz8n9AOgZUUg==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: msedge.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 94, + "process_id": "30311220886", + "process_start_time": "1764716702", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:43:29.88Z", + "tree_id": "8591711476", + "tree_root": "30311220886", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:34.782802783Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:43:29", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:34.782802783Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8591711476", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30311220886-5734-2329104", + "local_prevalence": "common", + "local_process_id": 5124, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: msedge.exe", + "[MOD] The parent process was identified as: explorer.exe", + "[MOD] The grandparent process was identified as: userinit.exe" + ], + "priority_value": 94, + "process_id": 30311220886, + "process_start_time": 1764716702, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 8591711476, + "tree_root": 30311220886, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30311220886", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "c139e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 30269430413, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\explorer.exe", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "7568", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30269430413", + "process_id": "30269430413", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-02T23:06:49Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\userinit.exe", + "local_process_id": "7508", + "md5": "47bbdbe152a597f4a840c5269ed961e8", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30266885887", + "process_id": "30266885887", + "sha256": "03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55", + "timestamp": "2025-12-02T23:05:07Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30499815927", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317909596", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30317047847", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30455750591", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30339485283", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30497645340", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30345180721", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342169595", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30342925817", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30449015987", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346817155", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30348906007", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30318811229", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30498253552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30340137523", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30397982029", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30521038557", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30501622093", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30320716625", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30413124423", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30430418755", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30418588464", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30346866510", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30344275538" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "winsas64.bat", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764718608" + }, + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764719009" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50546", + "protocol": "TCP", + "remote_address": "91.52.62.137", + "remote_port": "80" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "49852", + "protocol": "TCP", + "remote_address": "91.52.62.64", + "remote_port": "80" + }, + { + "access_timestamp": "1764718328", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:8858:ce81:9be8:1c2b", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wmimetricsq.exe", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "index.txt", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Service Worker\\CacheStorage\\3cedfb74d44f2e84198d23075aef16c34a668ceb", + "timestamp": "1764717924" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718328" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\0511", + "timestamp": "1764718428" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718448" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718468" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718488" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718508" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718528" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718548" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764718568" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:21:47", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "mgBkp7q7Cv0d3jUCBvZqQQ==:2:61:140", + "_insert_time": "Dec 02 2025 17:22:46", + "_name": "UnusualLocInjectSysProc", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:20:43", + "crawled_timestamp": "2025-12-02T23:21:47.724215552Z", + "created_timestamp": "2025-12-02T23:21:45.830318009Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process, launched from an unusual location, injected into a system process. Malware often moves laterally among benign system processes to evade detection. Investigate both the injector and injectee process trees.", + "display_name": "UnusualLocInjectSysProc", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10244, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "occurred": "Dec 02 2025 17:21:45", + "pattern_id": 10244, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxlqAyJXhh6r_NtcVKgalAhgAATiEBOt3QKyHQJPaCaGNB0KHRZrSnjvYeDyuJ3odzEXVvLA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "confidence": 80, + "context_timestamp": "2025-12-02T23:20:43.214Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "crawled_timestamp": "2025-12-02T23:21:47.724215552Z", + "created_timestamp": "2025-12-02T23:21:45.830318009Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process, launched from an unusual location, injected into a system process. Malware often moves laterally among benign system processes to evade detection. Investigate both the injector and injectee process trees.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "UnusualLocInjectSysProc", + "email_sent": true, + "event_correlation_id": "ee48807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "unique", + "local_process_id": "1056", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 10244, + "tactic_id": "TA0005", + "technique_id": "T1055", + "tactic": "Defense Evasion", + "technique": "Process Injection" + } + ], + "name": "UnusualLocInjectSysProc", + "objective": "Keep Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "2280", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30474851397", + "process_id": "30474851397", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:19:15Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30474851397", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10244, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxlqAyJXhh6r_NtcVKgalAhgAATiEBOt3QKyHQJPaCaGNB0KHRZrSnjvYeDyuJ3odzEXVvLA==", + "priority_details": { + "raw_value": 70 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 70, + "process_end_time": "1764717644", + "process_id": "30477608682", + "process_start_time": "1764717523", + "product": "epp", + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "template_instance_id": "595", + "timestamp": "2025-12-02T23:20:43.82Z", + "tree_id": "8592247772", + "tree_root": "30477608682", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30477608682", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.72420609Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:20:43", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:21:47.72420609Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Process Injection", + "technique_id": "T1055", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-10244-1352464", + "local_prevalence": "unique", + "local_process_id": 1056, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 70 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 70, + "process_id": 30477608682, + "process_start_time": 1764717523, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 8592247772, + "tree_root": 30477608682, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30477608682", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ee48807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 30474851397, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "2280", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30474851397", + "process_id": "30474851397", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:19:15Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764717644, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:21:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "84.25042291333641", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 595, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:19:51", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7tN4oBLoxYQIXWA9kq7uCg==:0:61:140", + "_insert_time": "Dec 02 2025 17:20:47", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:18:43", + "crawled_timestamp": "2025-12-02T23:19:45.661137642Z", + "created_timestamp": "2025-12-02T23:19:45.661128976Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "occurred": "Dec 02 2025 17:19:45", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVzU_P0HbFhZWCo11q8AuVwAATiGJDmQ3OtuDNJkCBJsQjqoweJDCOLU-pwFjmkCimyh6lw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "confidence": 70, + "context_timestamp": "2025-12-02T23:18:43.131Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "crawled_timestamp": "2025-12-02T23:19:45.661137642Z", + "created_timestamp": "2025-12-02T23:19:45.661128976Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "2a47807f-d3cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:18:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "28.331554774778688", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "local_prevalence": "unique", + "local_process_id": "1056", + "logon_domain": "SKT", + "md5": "55243adaf8e211f336580ebf83268e03", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "2280", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30474851397", + "process_id": "30474851397", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:19:15Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30474851397", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVzU_P0HbFhZWCo11q8AuVwAATiGJDmQ3OtuDNJkCBJsQjqoweJDCOLU-pwFjmkCimyh6lw==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": "30477608682", + "process_start_time": "1764717523", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T23:18:43.759Z", + "tree_id": "8592247772", + "tree_root": "30477608682", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30477608682", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:19:51.750910614Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:18:43", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:19:51.750910614Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8592247772", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:16:42Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "mxs_installer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30477608682-5702-1243664", + "local_prevalence": "unique", + "local_process_id": 1056, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The process is: mxs_installer.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 30477608682, + "process_start_time": 1764717523, + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "tree_id": 8592247772, + "tree_root": 30477608682, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30477608682", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "2a47807f-d3cf-f011-9bde-000d3a1e5143", + "md5": "55243adaf8e211f336580ebf83268e03", + "alleged_filetype": "exe", + "parent_process_id": 30474851397, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "2280", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30474851397", + "process_id": "30474851397", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:19:15Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:18:43Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "28.331554774778688", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "md5": "55243adaf8e211f336580ebf83268e03", + "sha256": "6fa27fb1cb5d417fa9a0710c4ec56e8e7eab985b17fe8632381c03e6c6f10672", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Temp\\mxs_installer.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:06", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:1:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "MalwareProcess", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:32:03", + "crawled_timestamp": "2025-12-02T23:33:04.941938315Z", + "created_timestamp": "2025-12-02T23:33:04.941931744Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "display_name": "MalwareProcess", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "occurred": "Dec 02 2025 17:33:04", + "pattern_id": 10116, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx17k6gJ3S4dDkkShZ_NQ6bwAATiHw6ui_KHqXuc9gPFW81T0Sn7Ia3SILZkIh5p1BP8jMCw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "confidence": 80, + "context_timestamp": "2025-12-02T23:32:03.621Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:33:04.941938315Z", + "created_timestamp": "2025-12-02T23:33:04.941931744Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MalwareProcess", + "email_sent": true, + "event_correlation_id": "4427e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8700", + "logon_domain": "SKT", + "md5": "5883eb17a1d42131a006372c3b91721c", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "MalwareProcess", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30524324555", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10116, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx17k6gJ3S4dDkkShZ_NQ6bwAATiHw6ui_KHqXuc9gPFW81T0Sn7Ia3SILZkIh5p1BP8jMCw==", + "priority_details": { + "raw_value": 59 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 59, + "process_id": "30527178531", + "process_start_time": "1764718323", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "template_instance_id": "14927", + "timestamp": "2025-12-02T23:32:04.11Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:06.79881822Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:04", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:06.79881822Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1795856", + "local_prevalence": "unique", + "local_process_id": 8700, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 59 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 59, + "process_id": 30527178531, + "process_start_time": 1764718323, + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "4427e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "5883eb17a1d42131a006372c3b91721c", + "alleged_filetype": "exe", + "parent_process_id": 30524324555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14927, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:0:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "MalwareProcess", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:32:03", + "crawled_timestamp": "2025-12-02T23:33:07.183310974Z", + "created_timestamp": "2025-12-02T23:33:04.938500637Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "display_name": "MalwareProcess", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "occurred": "Dec 02 2025 17:33:04", + "pattern_id": 10116, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxyVWFMwZXPQEJq_9mh7KgjgAATiGsD9arFN4ysccHYWxFOfWWvlsotWD69rTRvY7A5n8MAQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "confidence": 80, + "context_timestamp": "2025-12-02T23:32:03.824Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:33:07.183310974Z", + "created_timestamp": "2025-12-02T23:33:04.938500637Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process related to a likely malicious file was launched. Review any binaries involved as they might be related to malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MalwareProcess", + "email_sent": true, + "event_correlation_id": "5527e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "files_written": [ + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "unique", + "local_process_id": "8700", + "logon_domain": "SKT", + "md5": "5883eb17a1d42131a006372c3b91721c", + "mitre_attack": [ + { + "pattern_id": 10116, + "tactic_id": "CSTA0003", + "technique_id": "CST0010", + "tactic": "Post-Exploit", + "technique": "Malicious Tool Execution" + } + ], + "name": "MalwareProcess", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30524324555", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10116, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxyVWFMwZXPQEJq_9mh7KgjgAATiGsD9arFN4ysccHYWxFOfWWvlsotWD69rTRvY7A5n8MAQ==", + "priority_details": { + "raw_value": 59 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 59, + "process_end_time": "1764718326", + "process_id": "30527178531", + "process_start_time": "1764718323", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "template_instance_id": "14927", + "timestamp": "2025-12-02T23:32:04.111Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:07.183291941Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:04", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:07.183291941Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Post-Exploit", + "tactic_id": "CSTA0003", + "technique": "Malicious Tool Execution", + "technique_id": "CST0010", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-10116-1800208", + "local_prevalence": "unique", + "local_process_id": 8700, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 59 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 59, + "process_id": 30527178531, + "process_start_time": 1764718323, + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "5527e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "5883eb17a1d42131a006372c3b91721c", + "alleged_filetype": "exe", + "parent_process_id": 30524324555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718326, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14927, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:06", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:2:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "PrewittSensorDetect-Low", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "confidence": 30, + "context_timestamp": "Dec 02 2025 17:32:03", + "crawled_timestamp": "2025-12-02T23:33:04.94344893Z", + "created_timestamp": "2025-12-02T23:33:04.943440461Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-Low", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5706, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "occurred": "Dec 02 2025 17:33:04", + "pattern_id": 5706, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxllH5ivDap52lJv5PBb9dUwAATiH7H9MC-HWOWBnEit1nXgwQ7Dj0eydOjPIb8vOPllyMwg==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "associated_files": [], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "confidence": 30, + "context_timestamp": "2025-12-02T23:32:03.590Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:33:04.94344893Z", + "created_timestamp": "2025-12-02T23:33:04.943440461Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-Low", + "email_sent": true, + "event_correlation_id": "3c27e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "md5": "5883eb17a1d42131a006372c3b91721c", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "local_prevalence": "unique", + "local_process_id": "8700", + "logon_domain": "SKT", + "md5": "5883eb17a1d42131a006372c3b91721c", + "mitre_attack": [ + { + "pattern_id": 5706, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-Low", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30524324555", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5706, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxllH5ivDap52lJv5PBb9dUwAATiH7H9MC-HWOWBnEit1nXgwQ7Dj0eydOjPIb8vOPllyMwg==", + "priority_details": { + "raw_value": 48 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 48, + "process_id": "30527178531", + "process_start_time": "1764718323", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:32:03.716Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:06.142373007Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:03", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:06.142373007Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5706-1794320", + "local_prevalence": "unique", + "local_process_id": 8700, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 48 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 48, + "process_id": 30527178531, + "process_start_time": 1764718323, + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "3c27e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "5883eb17a1d42131a006372c3b91721c", + "alleged_filetype": "exe", + "parent_process_id": 30524324555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "md5": "5883eb17a1d42131a006372c3b91721c", + "sha256": "580c86f628e59a430b8cfa7d3376851866e46f68262afb1e39443c2c83d21c0a", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:11", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:5:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:32:04", + "crawled_timestamp": "2025-12-02T23:33:07.289872631Z", + "created_timestamp": "2025-12-02T23:33:07.289864832Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "occurred": "Dec 02 2025 17:33:07", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6vD7rcAEaOzBHzWe7_sJqAAATiHzaL6nBKuSVFyHs4kHdO3vBSOELqEhk2z7S2HlwpD3yQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "confidence": 70, + "context_timestamp": "2025-12-02T23:32:04.715Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:33:07.289872631Z", + "created_timestamp": "2025-12-02T23:33:07.289864832Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "a827e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "local_prevalence": "unique", + "local_process_id": "8700", + "logon_domain": "SKT", + "md5": "5883eb17a1d42131a006372c3b91721c", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30524324555", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6vD7rcAEaOzBHzWe7_sJqAAATiHzaL6nBKuSVFyHs4kHdO3vBSOELqEhk2z7S2HlwpD3yQ==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764718326", + "process_id": "30527178531", + "process_start_time": "1764718323", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:32:05.274Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.792988245Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:05", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.792988245Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1813264", + "local_prevalence": "unique", + "local_process_id": 8700, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 30527178531, + "process_start_time": 1764718323, + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "a827e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "5883eb17a1d42131a006372c3b91721c", + "alleged_filetype": "exe", + "parent_process_id": 30524324555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718326, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:08", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:3:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:32:04", + "crawled_timestamp": "2025-12-02T23:33:07.23997716Z", + "created_timestamp": "2025-12-02T23:33:07.239966401Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "occurred": "Dec 02 2025 17:33:07", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxXh4UEMOE1G6SUWqIjNbj7AAATiF7rykxumXbFXVCcRzuowSR2C3rjWjIOChq4aJBsmNh9w==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "confidence": 70, + "context_timestamp": "2025-12-02T23:32:04.996Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "crawled_timestamp": "2025-12-02T23:33:07.23997716Z", + "created_timestamp": "2025-12-02T23:33:07.239966401Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "ba27e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "local_prevalence": "unique", + "local_process_id": "8700", + "logon_domain": "SKT", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30524324555", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxXh4UEMOE1G6SUWqIjNbj7AAATiF7rykxumXbFXVCcRzuowSR2C3rjWjIOChq4aJBsmNh9w==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764718326", + "process_id": "30527178531", + "process_start_time": "1764718323", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-02T23:32:05.337Z", + "tree_id": "8594136518", + "tree_root": "30082198673", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:08.172531101Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:05", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:08.172531101Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\WinResSvc.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8594136518", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "WinResSvc.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\WinResSvc.exe", + "global_prevalence": "low", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527178531-5734-1819664", + "local_prevalence": "unique", + "local_process_id": 8700, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 30527178531, + "process_start_time": 1764718323, + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "tree_id": 8594136518, + "tree_root": 30082198673, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527178531", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ba27e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "alleged_filetype": "exe", + "parent_process_id": 30524324555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\System32\\WinResSvc.exe 2>&1", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30524324555", + "process_id": "30524324555", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:32:08Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p -s LSM", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "1088", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30082198673", + "process_id": "30082198673", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:03:50.679Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718326, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764718324" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718324" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:33:11", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xx+BVZOH/eKfQj/P3IQe9A==:4:61:140", + "_insert_time": "Dec 02 2025 17:33:47", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:32:04", + "crawled_timestamp": "2025-12-02T23:33:08.67537085Z", + "created_timestamp": "2025-12-02T23:33:07.265820145Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "occurred": "Dec 02 2025 17:33:07", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxE__kOz0GyjhsUU_x_Kn8sQAATiH5oxUGLpH7tw549C2UO_PbV2Z6sPCpuTtfasyyjyvwSA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "confidence": 80, + "context_timestamp": "2025-12-02T23:32:04.715Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:33:08.67537085Z", + "created_timestamp": "2025-12-02T23:33:07.265820145Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "email_sent": true, + "event_correlation_id": "ab27e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "files_accessed": [ + { + "filename": "history.jpg", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718325" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718325" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "944", + "logon_domain": "SKT", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "objective": "Follow Through", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30075467319", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxE__kOz0GyjhsUU_x_Kn8sQAATiH5oxUGLpH7tw549C2UO_PbV2Z6sPCpuTtfasyyjyvwSA==", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10136: A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "[MOD] The process is: svchost.exe", + "[MOD] The parent process was identified as: services.exe", + "[MOD] The grandparent process was identified as: wininit.exe" + ], + "priority_value": 96, + "process_id": "30527598555", + "process_start_time": "1764718324", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13035", + "timestamp": "2025-12-02T23:32:05.274Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.67308038Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:32:05", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:33:11.67308038Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:28:55Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30527598555-10136-1814288", + "local_prevalence": "common", + "local_process_id": 944, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10136: A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "[MOD] The process is: svchost.exe", + "[MOD] The parent process was identified as: services.exe", + "[MOD] The grandparent process was identified as: wininit.exe" + ], + "priority_value": 96, + "process_id": 30527598555, + "process_start_time": 1764718324, + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ab27e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 30075467319, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "788", + "md5": "3588c1ac44dce86a043310b07679c508", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30072932940", + "process_id": "30072932940", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "2025-12-02T23:03:50.491Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:32:07Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "165.45259556152084", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 13035, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "history.jpg", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718325" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764718325" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:34:55", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7g63qgwmT7hM1CT4W/LEWg==:1:61:140", + "_insert_time": "Dec 02 2025 17:35:46", + "_name": "ReconCommands", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:33:50", + "crawled_timestamp": "2025-12-02T23:34:52.893642654Z", + "created_timestamp": "2025-12-02T23:34:52.89363478Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process tree contains commands that some adversaries use for reconnaissance, but are also used by some system administrators. If this activity is unexpected, review the process tree.", + "display_name": "ReconCommands", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10135, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "occurred": "Dec 02 2025 17:34:52", + "pattern_id": 10135, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-b5WANfXYzFhLfy0KyKj2gAATiHGMmx3kGq_SBT7kE2gZ1Tosx_zcYKvNUxq2_V2XXffmA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30530655779", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30532010776" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c whoami", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "confidence": 80, + "context_timestamp": "2025-12-02T23:33:50.646Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:34:52.893642654Z", + "created_timestamp": "2025-12-02T23:34:52.89363478Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process tree contains commands that some adversaries use for reconnaissance, but are also used by some system administrators. If this activity is unexpected, review the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "ReconCommands", + "email_sent": true, + "event_correlation_id": "8628e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:33:50Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "217.8860427110646", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "7712", + "logon_domain": "SKT", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "mitre_attack": [ + { + "pattern_id": 10135, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "ReconCommands", + "objective": "Follow Through", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30527598555", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10135, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-b5WANfXYzFhLfy0KyKj2gAATiHGMmx3kGq_SBT7kE2gZ1Tosx_zcYKvNUxq2_V2XXffmA==", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 71, + "process_end_time": "1764718431", + "process_id": "30529943324", + "process_start_time": "1764718430", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "template_instance_id": "20461", + "timestamp": "2025-12-02T23:33:50.834Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30529943324", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:34:55.003764572Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:33:50", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:34:55.003764572Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c whoami", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30529943324-10135-1925648", + "local_prevalence": "common", + "local_process_id": 7712, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 71, + "process_id": 30529943324, + "process_start_time": 1764718430, + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30529943324", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "8628e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "alleged_filetype": "exe", + "parent_process_id": 30527598555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30530655779", + "pid:87ef612d8acd4f6897cc9eb253469ee4:30532010776" + ], + "process_end_time": 1764718431, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:33:50Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "217.8860427110646", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 20461, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:34:54", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7g63qgwmT7hM1CT4W/LEWg==:0:61:140", + "_insert_time": "Dec 02 2025 17:35:46", + "_name": "GenericSystemOwnerUserDiscovery", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:33:50", + "crawled_timestamp": "2025-12-02T23:34:54.239244578Z", + "created_timestamp": "2025-12-02T23:34:52.890302542Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process gathered information about one or more system users. Adversaries can use this to guide future behaviors. Review the process tree.", + "display_name": "SystemOwnerUserDiscovery", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10337, + "tactic_id": "TA0007", + "technique_id": "T1033", + "tactic": "Discovery", + "technique": "System Owner/User Discovery" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "occurred": "Dec 02 2025 17:34:52", + "pattern_id": 10337, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxD2J9UlC3OBYNL1OsHHk1egAATiFgu9Dixg1mGEfzZKgtpMHs2iSN_RXDyxSn9i75e_TPpA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "whoami", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "confidence": 80, + "context_timestamp": "2025-12-02T23:33:50.771Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:34:54.239244578Z", + "created_timestamp": "2025-12-02T23:34:52.890302542Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process gathered information about one or more system users. Adversaries can use this to guide future behaviors. Review the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "SystemOwnerUserDiscovery", + "email_sent": true, + "event_correlation_id": "b228e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "whoami.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\whoami.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:33:50Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "217.8860427110646", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "low", + "local_process_id": "5184", + "logon_domain": "SKT", + "md5": "a4a6924f3eaf97981323703d38fd99c4", + "mitre_attack": [ + { + "pattern_id": 10337, + "tactic_id": "TA0007", + "technique_id": "T1033", + "tactic": "Discovery", + "technique": "System Owner/User Discovery" + } + ], + "name": "GenericSystemOwnerUserDiscovery", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c whoami", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "7712", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30529943324", + "process_id": "30529943324", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30529943324", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10337, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxD2J9UlC3OBYNL1OsHHk1egAATiFgu9Dixg1mGEfzZKgtpMHs2iSN_RXDyxSn9i75e_TPpA==", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 10337: A process gathered information about one or more system users. Adversaries can use this to guide future behaviors. Review the process tree.", + "[MOD] The process is: whoami.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 96, + "process_end_time": "1764718431", + "process_id": "30532010776", + "process_start_time": "1764718430", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "1d4902a04d99e8ccbfe7085e63155955fee397449d386453f6c452ae407b8743", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Discovery", + "tactic_id": "TA0007", + "technique": "System Owner/User Discovery", + "technique_id": "T1033", + "template_instance_id": "14918", + "timestamp": "2025-12-02T23:33:51.396Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30532010776", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:34:54.239234849Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:33:51", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:34:54.239234849Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Explore", + "tactic": "Discovery", + "tactic_id": "TA0007", + "technique": "System Owner/User Discovery", + "technique_id": "T1033", + "cloud_indicator": "false", + "cmdline": "whoami", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "whoami.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\whoami.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30532010776-10337-1928720", + "local_prevalence": "low", + "local_process_id": 5184, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 10337: A process gathered information about one or more system users. Adversaries can use this to guide future behaviors. Review the process tree.", + "[MOD] The process is: whoami.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 96, + "process_id": 30532010776, + "process_start_time": 1764718430, + "sha256": "1d4902a04d99e8ccbfe7085e63155955fee397449d386453f6c452ae407b8743", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30532010776", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b228e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "a4a6924f3eaf97981323703d38fd99c4", + "alleged_filetype": "exe", + "parent_process_id": 30529943324, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c whoami", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "7712", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30529943324", + "process_id": "30529943324", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718431, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:33:50Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "217.8860427110646", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14918, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:39:10", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "bwH2I9rxTeq9qA+tFTIcoA==:1:61:140", + "_insert_time": "Dec 02 2025 17:39:47", + "_name": "SuspiciousScript", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:38:02", + "crawled_timestamp": "2025-12-02T23:39:05.359179101Z", + "created_timestamp": "2025-12-02T23:39:05.359171072Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "display_name": "SuspiciousScript", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10101, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "occurred": "Dec 02 2025 17:39:05", + "pattern_id": 10101, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxl1jQlWnBrU3ZB_2H39BLYwAATiHNj3lx_ZTNjzNllPOWWZCywsGX0dKb3r_jyel82hITcw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "net use \\\\bannik\\c$ \"Password1!\" /user:ethurberAdmin ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "confidence": 80, + "context_timestamp": "2025-12-02T23:38:02.556Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:39:05.359179101Z", + "created_timestamp": "2025-12-02T23:39:05.359171072Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "SuspiciousScript", + "email_sent": true, + "event_correlation_id": "ce31e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "net.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\net.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:38:03Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "250.64382385807266", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "9556", + "logon_domain": "SKT", + "md5": "0bd94a338eea5a4e1f2830ae326e6d19", + "mitre_attack": [ + { + "pattern_id": 10101, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "SuspiciousScript", + "network_accesses": [ + { + "access_timestamp": "1764718683", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50720", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "80" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\winsas64.bat", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "5936", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30547706083", + "process_id": "30547706083", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:36:56Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30547706083", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10101, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxl1jQlWnBrU3ZB_2H39BLYwAATiHNj3lx_ZTNjzNllPOWWZCywsGX0dKb3r_jyel82hITcw==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10101: A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "[MOD] The process is: net.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_end_time": "1764718699", + "process_id": "30561697993", + "process_start_time": "1764718682", + "product": "epp", + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f376759bcbcd705f726460fc4a7e2b07f310f52baa73caaaaa124fddbdf993e", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "template_instance_id": "16192", + "timestamp": "2025-12-02T23:38:03.176Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30561697993", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:39:10.069878919Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:38:03", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:39:10.069878919Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "cloud_indicator": "false", + "cmdline": "net use \\\\bannik\\c$ \"Password1!\" /user:ethurberAdmin", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "net.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\net.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2086416", + "local_prevalence": "common", + "local_process_id": 9556, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10101: A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "[MOD] The process is: net.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_id": 30561697993, + "process_start_time": 1764718682, + "sha256": "9f376759bcbcd705f726460fc4a7e2b07f310f52baa73caaaaa124fddbdf993e", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30561697993", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ce31e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "0bd94a338eea5a4e1f2830ae326e6d19", + "alleged_filetype": "exe", + "parent_process_id": 30547706083, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\winsas64.bat", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "5936", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30547706083", + "process_id": "30547706083", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:36:56Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718699, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:38:03Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "250.64382385807266", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 16192, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764718683", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50720", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "80" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:39:10", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "bwH2I9rxTeq9qA+tFTIcoA==:0:61:140", + "_insert_time": "Dec 02 2025 17:39:47", + "_name": "SuspiciousScript", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:38:02", + "crawled_timestamp": "2025-12-02T23:39:07.105582874Z", + "created_timestamp": "2025-12-02T23:39:05.353729787Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "display_name": "SuspiciousScript", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10101, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "occurred": "Dec 02 2025 17:39:05", + "pattern_id": 10101, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxsfUA1h-K8JqOI0Hu2jIxLQAATiFQDWBrI0hcHUlQ6yZfnVNKvq3Bu65U7K7-38p5z6szVQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "net use \\\\bannik\\c$ \"Password1!\" /user:ethurberAdmin ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "confidence": 80, + "context_timestamp": "2025-12-02T23:38:02.986Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:39:07.105582874Z", + "created_timestamp": "2025-12-02T23:39:05.353729787Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "SuspiciousScript", + "email_sent": true, + "event_correlation_id": "dc31e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "net.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\net.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:38:03Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "250.64382385807266", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "9556", + "logon_domain": "SKT", + "md5": "0bd94a338eea5a4e1f2830ae326e6d19", + "mitre_attack": [ + { + "pattern_id": 10101, + "tactic_id": "TA0002", + "technique_id": "T1059", + "tactic": "Execution", + "technique": "Command and Scripting Interpreter" + } + ], + "name": "SuspiciousScript", + "network_accesses": [ + { + "access_timestamp": "1764718683", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50720", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "80" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\winsas64.bat", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "5936", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30547706083", + "process_id": "30547706083", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:36:56Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30547706083", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10101, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxsfUA1h-K8JqOI0Hu2jIxLQAATiFQDWBrI0hcHUlQ6yZfnVNKvq3Bu65U7K7-38p5z6szVQ==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10101: A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "[MOD] The process is: net.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_end_time": "1764718699", + "process_id": "30561697993", + "process_start_time": "1764718682", + "product": "epp", + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f376759bcbcd705f726460fc4a7e2b07f310f52baa73caaaaa124fddbdf993e", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "template_instance_id": "16192", + "timestamp": "2025-12-02T23:38:03.242Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30561697993", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:39:10.071472899Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 50, + "severity_name": "Medium", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:38:03", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:39:10.071472899Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Command and Scripting Interpreter", + "technique_id": "T1059", + "cloud_indicator": "false", + "cmdline": "net use \\\\bannik\\c$ \"Password1!\" /user:ethurberAdmin", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:09:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:34:30Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "net.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\net.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30561697993-10101-2087952", + "local_prevalence": "common", + "local_process_id": 9556, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10101: A suspicious script launched that might be related to malicious activity. A variety of malware families use this technique. Review the script.", + "[MOD] The process is: net.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 95, + "process_id": 30561697993, + "process_start_time": 1764718682, + "sha256": "9f376759bcbcd705f726460fc4a7e2b07f310f52baa73caaaaa124fddbdf993e", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30561697993", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "dc31e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "0bd94a338eea5a4e1f2830ae326e6d19", + "alleged_filetype": "exe", + "parent_process_id": 30547706083, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\winsas64.bat", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "5936", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30547706083", + "process_id": "30547706083", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:36:56Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764718699, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:38:03Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "250.64382385807266", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 16192, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764718683", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50720", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "80" + } + ], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:43:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "xLoSLEBVNsxuEdQCpHwRLg==:0:61:140", + "_insert_time": "Dec 02 2025 17:43:46", + "_name": "LoadedMaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:42:31", + "crawled_timestamp": "2025-12-02T23:43:36.117990896Z", + "created_timestamp": "2025-12-02T23:43:34.069066938Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module associated with known malware. Malware might have hijacked a benign process and loaded the malicious module to evade detection. Review the DLLs the process loaded.", + "display_name": "LoadedMaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10204, + "tactic_id": "TA0005", + "technique_id": "T1574.002", + "tactic": "Defense Evasion", + "technique": "DLL Side-Loading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "occurred": "Dec 02 2025 17:43:34", + "pattern_id": 10204, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxaEYLx2aNwRtl-XffcxjuZQAATiEZmtxK9iaQ09VMj9uGHzzJlH7xqyIaPfl5hm9OYe6_vQ==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30582578558" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c del /Q C:\\Windows\\Temp\\winsas64.bat", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "confidence": 80, + "context_timestamp": "2025-12-02T23:42:31.805Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:43:36.117990896Z", + "created_timestamp": "2025-12-02T23:43:34.069066938Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module associated with known malware. Malware might have hijacked a benign process and loaded the malicious module to evade detection. Review the DLLs the process loaded.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LoadedMaliciousModule", + "email_sent": true, + "event_correlation_id": "7a39e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:42:31Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "283.3758849855796", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "9944", + "logon_domain": "SKT", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "mitre_attack": [ + { + "pattern_id": 10204, + "tactic_id": "TA0005", + "technique_id": "T1574.002", + "tactic": "Defense Evasion", + "technique": "DLL Side-Loading" + } + ], + "name": "LoadedMaliciousModule", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30527598555", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10204, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxaEYLx2aNwRtl-XffcxjuZQAATiEZmtxK9iaQ09VMj9uGHzzJlH7xqyIaPfl5hm9OYe6_vQ==", + "priority_details": { + "raw_value": 63 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 63, + "process_end_time": "1764718951", + "process_id": "30581525267", + "process_start_time": "1764718951", + "product": "epp", + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "DLL Side-Loading", + "technique_id": "T1574.002", + "template_instance_id": "14931", + "timestamp": "2025-12-02T23:42:32.191Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30581525267", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:43:37.082446523Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "evade_detection", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:42:32", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:43:37.082446523Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "DLL Side-Loading", + "technique_id": "T1574.002", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c del /Q C:\\Windows\\Temp\\winsas64.bat", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30581525267-10204-2296592", + "local_prevalence": "common", + "local_process_id": 9944, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 63 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 63, + "process_id": 30581525267, + "process_start_time": 1764718951, + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30581525267", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "7a39e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "alleged_filetype": "exe", + "parent_process_id": 30527598555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30582578558" + ], + "process_end_time": 1764718951, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:42:31Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "283.3758849855796", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14931, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:44:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "dq4x11FQJHq9qRi4cg1faQ==:1:61:140", + "_insert_time": "Dec 02 2025 17:44:47", + "_name": "LateralMovementPsExec", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "confidence": 80, + "context_timestamp": "Dec 02 2025 17:43:30", + "crawled_timestamp": "2025-12-02T23:44:33.318933484Z", + "created_timestamp": "2025-12-02T23:44:33.318924642Z", + "data_domains": [ + "Endpoint" + ], + "description": "PsExec was executed. This is a tool adversaries have used to write programs to the ADMIN$ network share and execute commands on remote systems. Investigate the process tree.", + "display_name": "LateralMovementPsExec", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10387, + "tactic_id": "TA0008", + "technique_id": "T1021", + "tactic": "Lateral Movement", + "technique": "Remote Services" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "occurred": "Dec 02 2025 17:44:33", + "pattern_id": 10387, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6_NwC7SGIEUMK0cfsr4xWAAATiEIaukxl0bpbZYETfu20RyatTbyVb_ipQvMVnGiOHNfEA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30584019696" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\wmimetricsq.exe \\\\bannik\\C$\\Windows\\System32", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "confidence": 80, + "context_timestamp": "2025-12-02T23:43:30.569Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:44:33.318933484Z", + "created_timestamp": "2025-12-02T23:44:33.318924642Z", + "data_domains": [ + "Endpoint" + ], + "description": "PsExec was executed. This is a tool adversaries have used to write programs to the ADMIN$ network share and execute commands on remote systems. Investigate the process tree.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LateralMovementPsExec", + "email_sent": true, + "event_correlation_id": "f639e6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "files_written": [ + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\Mup\\bannik\\C$\\Windows\\System32", + "timestamp": "1764719011" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:43:30Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "316.1162595555309", + "start": "2025-12-02T22:20:06Z" + }, + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "ioc_context": [], + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "local_prevalence": "common", + "local_process_id": "11024", + "logon_domain": "SKT", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "mitre_attack": [ + { + "pattern_id": 10387, + "tactic_id": "TA0008", + "technique_id": "T1021", + "tactic": "Lateral Movement", + "technique": "Remote Services" + } + ], + "name": "LateralMovementPsExec", + "objective": "Explore", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30527598555", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10387, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx6_NwC7SGIEUMK0cfsr4xWAAATiEIaukxl0bpbZYETfu20RyatTbyVb_ipQvMVnGiOHNfEA==", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10387: PsExec was executed. This is a tool adversaries have used to write programs to the ADMIN$ network share and execute commands on remote systems. Investigate the process tree.", + "[MOD] The process is: cmd.exe", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 62, + "process_end_time": "1764719011", + "process_id": "30583105831", + "process_start_time": "1764719010", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Remote Services", + "technique_id": "T1021", + "template_instance_id": "14920", + "timestamp": "2025-12-02T23:43:31.082Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30583105831", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:37.950783456Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:43:31", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:44:37.950783456Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Remote Services", + "technique_id": "T1021", + "cloud_indicator": "false", + "cmdline": "cmd.exe /c move C:\\Windows\\Temp\\wmimetricsq.exe \\\\bannik\\C$\\Windows\\System32", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:41:26Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30583105831-10387-2340624", + "local_prevalence": "common", + "local_process_id": 11024, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 62 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10387: PsExec was executed. This is a tool adversaries have used to write programs to the ADMIN$ network share and execute commands on remote systems. Investigate the process tree.", + "[MOD] The process is: cmd.exe", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 62, + "process_id": 30583105831, + "process_start_time": 1764719010, + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30583105831", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f639e6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "alleged_filetype": "exe", + "parent_process_id": 30527598555, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "928", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30075467319", + "process_id": "30075467319", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "2025-12-02T23:03:50.507Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:30584019696" + ], + "process_end_time": 1764719011, + "incident": { + "created": "2025-12-02T22:53:17Z", + "end": "2025-12-02T23:43:30Z", + "id": "inc:87ef612d8acd4f6897cc9eb253469ee4:cf0357e43e24404b8d97c20bca45a9d1", + "score": "316.1162595555309", + "start": "2025-12-02T22:20:06Z" + }, + "template_instance_id": 14920, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\Mup\\bannik\\C$\\Windows\\System32", + "timestamp": "1764719011" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "61e13cba38ae1e4dbe34eda0aac1411bec19f6bf6186aa5988fd1d5156705e61", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:46:57", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7xuaVqVKacRDZZ6winX8qA==:0:61:140", + "_insert_time": "Dec 02 2025 17:47:47", + "_name": "ApexSuspiciousProcessTree", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:45:54", + "crawled_timestamp": "2025-12-02T23:46:55.539298724Z", + "created_timestamp": "2025-12-02T23:46:55.539289552Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "display_name": "Anomalous Process Execution", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10438, + "tactic_id": "CSTA0010", + "technique_id": "CST0023", + "tactic": "AI Powered IOA", + "technique": "User Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "occurred": "Dec 02 2025 17:46:55", + "pattern_id": 10438, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxnKpagudpFsYuHHXTDpZzPAAATiE5Bi_UMkcfAqrzrpkm4Aw5hsT-RQEhdm_DpDqV_uXS7g==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "schtasks /Change /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /TR C:\\Windows\\System32\\wmimetricsq.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "confidence": 70, + "context_timestamp": "2025-12-02T23:45:54.130Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:46:55.539298724Z", + "created_timestamp": "2025-12-02T23:46:55.539289552Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Anomalous Process Execution", + "email_sent": true, + "event_correlation_id": "443be6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "schtasks.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\schtasks.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "2380", + "logon_domain": "SKT", + "md5": "76cd6626dd8834bd4a42e6a565104dc2", + "mitre_attack": [ + { + "pattern_id": 10438, + "tactic_id": "CSTA0010", + "technique_id": "CST0023", + "tactic": "AI Powered IOA", + "technique": "User Execution" + } + ], + "name": "ApexSuspiciousProcessTree", + "network_accesses": [ + { + "access_timestamp": "1764719152", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50944", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "135" + }, + { + "access_timestamp": "1764719152", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50945", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "49666" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c schtasks /Change /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /TR %SystemRoot%\\System32\\wmimetricsq.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "4904", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30589815217", + "process_id": "30589815217", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:45:54Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30589815217", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10438, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxnKpagudpFsYuHHXTDpZzPAAATiE5Bi_UMkcfAqrzrpkm4Aw5hsT-RQEhdm_DpDqV_uXS7g==", + "priority_details": { + "raw_value": 90 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 10438: A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "[MOD] The process is: schtasks.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 90, + "process_end_time": "1764719152", + "process_id": "30591376218", + "process_start_time": "1764719151", + "product": "epp", + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 60, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "AI Powered IOA", + "tactic_id": "CSTA0010", + "technique": "User Execution", + "technique_id": "CST0023", + "template_instance_id": "23577", + "timestamp": "2025-12-02T23:45:54.254Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30591376218", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:46:57.616697451Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 60, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:45:54", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:46:57.616697451Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "AI Powered IOA", + "tactic_id": "CSTA0010", + "technique": "User Execution", + "technique_id": "CST0023", + "cloud_indicator": "false", + "cmdline": "schtasks /Change /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /TR C:\\Windows\\System32\\wmimetricsq.exe", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "schtasks.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\schtasks.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30591376218-10438-2377232", + "local_prevalence": "unique", + "local_process_id": 2380, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 90 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 10438: A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "[MOD] The process is: schtasks.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 90, + "process_id": 30591376218, + "process_start_time": 1764719151, + "sha256": "013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30591376218", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "443be6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "76cd6626dd8834bd4a42e6a565104dc2", + "alleged_filetype": "exe", + "parent_process_id": 30589815217, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c schtasks /Change /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /TR %SystemRoot%\\System32\\wmimetricsq.exe", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "4904", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30589815217", + "process_id": "30589815217", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:45:54Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719152, + "incident": "", + "template_instance_id": 23577, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764719152", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50944", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "135" + }, + { + "access_timestamp": "1764719152", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50945", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "49666" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:47:57", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/QvxgGr2nw2UjIXFgU3COQ==:4:61:140", + "_insert_time": "Dec 02 2025 17:48:47", + "_name": "ApexSuspiciousProcessTree", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "confidence": 70, + "context_timestamp": "Dec 02 2025 17:46:53", + "crawled_timestamp": "2025-12-02T23:47:55.581670082Z", + "created_timestamp": "2025-12-02T23:47:55.581663907Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "display_name": "Anomalous Process Execution", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10438, + "tactic_id": "CSTA0010", + "technique_id": "CST0023", + "tactic": "AI Powered IOA", + "technique": "User Execution" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "occurred": "Dec 02 2025 17:47:55", + "pattern_id": 10438, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-EApVP3xZjelTX8osXNFcgAATiE9223XW_fJZWdyVc2pVzl5SCQTlqkbIqRAD9_Dwf4Ssw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "schtasks /Run /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /I", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "confidence": 70, + "context_timestamp": "2025-12-02T23:46:53.513Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "crawled_timestamp": "2025-12-02T23:47:55.581670082Z", + "created_timestamp": "2025-12-02T23:47:55.581663907Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Anomalous Process Execution", + "email_sent": true, + "event_correlation_id": "e73be6ec-d5cf-f011-9bde-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "schtasks.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\schtasks.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "10856", + "logon_domain": "SKT", + "md5": "76cd6626dd8834bd4a42e6a565104dc2", + "mitre_attack": [ + { + "pattern_id": 10438, + "tactic_id": "CSTA0010", + "technique_id": "CST0023", + "tactic": "AI Powered IOA", + "technique": "User Execution" + } + ], + "name": "ApexSuspiciousProcessTree", + "network_accesses": [ + { + "access_timestamp": "1764719211", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50976", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "49666" + }, + { + "access_timestamp": "1764719211", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50975", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "135" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c schtasks /Run /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /I", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8636", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30593182760", + "process_id": "30593182760", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:46:54Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "parent_process_id": "30593182760", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10438, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-EApVP3xZjelTX8osXNFcgAATiE9223XW_fJZWdyVc2pVzl5SCQTlqkbIqRAD9_Dwf4Ssw==", + "priority_details": { + "raw_value": 90 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 10438: A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "[MOD] The process is: schtasks.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 90, + "process_end_time": "1764719211", + "process_id": "30594796026", + "process_start_time": "1764719211", + "product": "epp", + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 60, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "AI Powered IOA", + "tactic_id": "CSTA0010", + "technique": "User Execution", + "technique_id": "CST0023", + "template_instance_id": "23577", + "timestamp": "2025-12-02T23:46:53.637Z", + "tree_id": "8595404239", + "tree_root": "30527598555", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30594796026", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.388461304Z", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$", + "user_principal": "hobgoblin$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "attacker_methodology", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 60, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:46:53", + "type": "ldt", + "updated_timestamp": "2025-12-02T23:47:57.388461304Z", + "user_name": "hobgoblin$", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "AI Powered IOA", + "tactic_id": "CSTA0010", + "technique": "User Execution", + "technique_id": "CST0023", + "cloud_indicator": "false", + "cmdline": "schtasks /Run /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /I", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:8595404239", + "device": { + "agent_load_flags": "17", + "agent_local_time": "2025-12-02T23:03:44.194Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "skt.local" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T23:39:59Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:46:14Z", + "os_version": "Windows 10", + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "schtasks.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\schtasks.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:30594796026-10438-2393360", + "local_prevalence": "unique", + "local_process_id": 10856, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 90 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 10438: A process execution displays command line arguments deemed malicious by AI based on behavioral characteristics. It might be malware andor part of an adversarys toolkit. Investigate the process tree, and review the associated command lines.", + "[MOD] The process is: schtasks.exe", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 90, + "process_id": 30594796026, + "process_start_time": 1764719211, + "sha256": "013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef", + "tree_id": 8595404239, + "tree_root": 30527598555, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30594796026", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "e73be6ec-d5cf-f011-9bde-000d3a1e5143", + "md5": "76cd6626dd8834bd4a42e6a565104dc2", + "alleged_filetype": "exe", + "parent_process_id": 30593182760, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c schtasks /Run /S bannik /U skt\\Frieda /P Password3! /TN \"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\" /I", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8636", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30593182760", + "process_id": "30593182760", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-02T23:46:54Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "944", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:30527598555", + "process_id": "30527598555", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-02T23:34:00Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "hobgoblin$" + }, + "user_principal": "hobgoblin$@skt.local", + "child_process_ids": "", + "process_end_time": 1764719211, + "incident": "", + "template_instance_id": 23577, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764719211", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50976", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "49666" + }, + { + "access_timestamp": "1764719211", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "50975", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "135" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 13:55:20", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "fRzlHFjVR/8+A9R9ubLTfg==:0:61:140", + "_insert_time": "Dec 02 2025 13:55:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "confidence": 70, + "context_timestamp": "Dec 02 2025 13:54:13", + "crawled_timestamp": "2025-12-02T19:55:15.312223764Z", + "created_timestamp": "2025-12-02T19:55:15.3122172Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "occurred": "Dec 02 2025 13:55:15", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIkHPTyZHI_DDuDg45YJ5WgAATiFAOWqglVf8PLqsG9a7X4n4rBnFTwq3V3FhGiipRrO9-w==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc" + } + ], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "confidence": 70, + "context_timestamp": "2025-12-02T19:54:13.542Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "crawled_timestamp": "2025-12-02T19:55:15.312223764Z", + "created_timestamp": "2025-12-02T19:55:15.3122172Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "fb601505-b6cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + } + ], + "global_prevalence": "common", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "common", + "local_process_id": "724", + "logon_domain": "SKT", + "md5": "0da9e9ab509b424a726725d287198197", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_process_id": "9360230397", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIkHPTyZHI_DDuDg45YJ5WgAATiFAOWqglVf8PLqsG9a7X4n4rBnFTwq3V3FhGiipRrO9-w==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": "9361162797", + "process_start_time": "1763762625", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T19:54:14.425Z", + "tree_id": "4296510352", + "tree_root": "9361162797", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:20.163020132Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 13:54:14", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:55:20.163020132Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-2341392", + "local_prevalence": "common", + "local_process_id": 724, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 9361162797, + "process_start_time": 1763762625, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4296510352, + "tree_root": 9361162797, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "fb601505-b6cf-f011-9bdd-000d3a1e5143", + "md5": "0da9e9ab509b424a726725d287198197", + "alleged_filetype": "exe", + "parent_process_id": 9360230397, + "sha1": 0, + "parent_details": "", + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "md5": "0da9e9ab509b424a726725d287198197", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads\\NTFVersion.exe", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:39:06", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "0oRJLKKxpIvwSVb+reVOpw==:0:61:140", + "_insert_time": "Dec 02 2025 14:39:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "confidence": 70, + "context_timestamp": "Dec 02 2025 14:37:56", + "crawled_timestamp": "2025-12-02T20:38:59.23196705Z", + "created_timestamp": "2025-12-02T20:38:59.231953335Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "occurred": "Dec 02 2025 14:38:59", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkbu87Qu8d1OqZphk4__jDQAATiHjoAJioAlq0IddYsskbN189VCpIemqrS0kZKnYQ0PDXw==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "confidence": 70, + "context_timestamp": "2025-12-02T20:37:56.538Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "crawled_timestamp": "2025-12-02T20:38:59.23196705Z", + "created_timestamp": "2025-12-02T20:38:59.231953335Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:35:51Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "51fc5aa5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707876" + } + ], + "global_prevalence": "common", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "ioc_context": [], + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "common", + "local_process_id": "724", + "logon_domain": "SKT", + "md5": "41ca85881332bec79131d8bce2d358ed", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_process_id": "9360230397", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkbu87Qu8d1OqZphk4__jDQAATiHjoAJioAlq0IddYsskbN189VCpIemqrS0kZKnYQ0PDXw==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": "9361162797", + "process_start_time": "1763762625", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T20:37:57.42Z", + "tree_id": "4296510352", + "tree_root": "9361162797", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:39:06.367481607Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:37:57", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:39:06.367481607Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:35:51Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3588880", + "local_prevalence": "common", + "local_process_id": 724, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 9361162797, + "process_start_time": 1763762625, + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "tree_id": 4296510352, + "tree_root": 9361162797, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "51fc5aa5-becf-f011-9bdd-000d3a1e5143", + "md5": "41ca85881332bec79131d8bce2d358ed", + "alleged_filetype": "exe", + "parent_process_id": 9360230397, + "sha1": 0, + "parent_details": "", + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707876" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:41:04", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "gZbqQkxrhnQHjtHhCCg1iw==:0:61:140", + "_insert_time": "Dec 02 2025 14:41:46", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "confidence": 70, + "context_timestamp": "Dec 02 2025 14:39:57", + "crawled_timestamp": "2025-12-02T20:40:59.550696713Z", + "created_timestamp": "2025-12-02T20:40:59.550689016Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "occurred": "Dec 02 2025 14:40:59", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGrAY7lZ1yjNClJIsFO75uAAATiFtganjFoNfI0VLTvZKkjVSPzWJZaX1KMXcqU5_9ST4Ug==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "confidence": 70, + "context_timestamp": "2025-12-02T20:39:57.200Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "crawled_timestamp": "2025-12-02T20:40:59.550696713Z", + "created_timestamp": "2025-12-02T20:40:59.550689016Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:35:51Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "7b075ba5-becf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707876" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707997" + } + ], + "global_prevalence": "common", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "ioc_context": [], + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "common", + "local_process_id": "724", + "logon_domain": "SKT", + "md5": "41ca85881332bec79131d8bce2d358ed", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "objective": "Falcon Detection Method", + "parent_process_id": "9360230397", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGrAY7lZ1yjNClJIsFO75uAAATiFtganjFoNfI0VLTvZKkjVSPzWJZaX1KMXcqU5_9ST4Ug==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": "9361162797", + "process_start_time": "1763762625", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T20:39:57.995Z", + "tree_id": "4296510352", + "tree_root": "9361162797", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:04.761731608Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:39:57", + "type": "ldt", + "updated_timestamp": "2025-12-02T20:41:04.761731608Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4296510352", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T20:26:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T20:35:51Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9361162797-5733-3741712", + "local_prevalence": "common", + "local_process_id": 724, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 9361162797, + "process_start_time": 1763762625, + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "tree_id": 4296510352, + "tree_root": 9361162797, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "7b075ba5-becf-f011-9bdd-000d3a1e5143", + "md5": "41ca85881332bec79131d8bce2d358ed", + "alleged_filetype": "exe", + "parent_process_id": 9360230397, + "sha1": 0, + "parent_details": "", + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": [ + "pid:87ef612d8acd4f6897cc9eb253469ee4:15866649541", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15864393904", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15868901588", + "pid:87ef612d8acd4f6897cc9eb253469ee4:15877693578", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16085945724", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16298870797", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16720312290", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16820522482", + "pid:87ef612d8acd4f6897cc9eb253469ee4:16918213440", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17166744410", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17417747486", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17418290250", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17421243282", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17434371952", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17649906842", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17863515344", + "pid:87ef612d8acd4f6897cc9eb253469ee4:17968424885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18283717754", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18463212187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18712754921", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18932369834", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18934343905", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18939068885", + "pid:87ef612d8acd4f6897cc9eb253469ee4:18953606577", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19170934532", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19397465880", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19802500552", + "pid:87ef612d8acd4f6897cc9eb253469ee4:19998516339", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20002049589", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20254152034", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20488652910", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20487387661", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20493113138", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20517722255", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20735649868", + "pid:87ef612d8acd4f6897cc9eb253469ee4:20952017957", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21367780608", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21372253936", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21554219075", + "pid:87ef612d8acd4f6897cc9eb253469ee4:21808577188", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22025152211", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22026982485", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22028633262", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22042994825", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22260561881", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22484829909", + "pid:87ef612d8acd4f6897cc9eb253469ee4:22899463388", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23081824187", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23224695585", + "pid:87ef612d8acd4f6897cc9eb253469ee4:23330555822" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "Unconfirmed 763638.crdownload", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764705227" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707876" + }, + { + "filename": "NTFVersion.exe", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\Downloads", + "timestamp": "1764707997" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 13:54:25", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "brKL1F38zBYBPyhV1F6UVQ==:0:61:140", + "_insert_time": "Dec 02 2025 13:55:22", + "_name": "OnWrite-MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4295649105", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "confidence": 70, + "context_timestamp": "Dec 02 2025 13:53:19", + "crawled_timestamp": "2025-12-02T19:54:22.491585615Z", + "created_timestamp": "2025-12-02T19:54:22.491578586Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "occurred": "Dec 02 2025 13:54:22", + "pattern_id": 5733, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxsWbvQLRJ6wAJPKhJDaed8QAATiEYocvaVniX9vSKrWuPqv5oRu_d1FR1w4OIuTWCRYRGZA==", + "product": "epp", + "rawJSON": { + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "aggregate_id": "aggind:87ef612d8acd4f6897cc9eb253469ee4:4295649105", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc" + } + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=1996,i,5858947215452628203,5136150853448467288,524288 --field-trial-handle=2788,i,2833603951753821707,13473991206173222606,262144 --variations-seed-version --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2816 /prefetch:3", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "confidence": 70, + "context_timestamp": "2025-12-02T19:53:19.818Z", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4295649105", + "crawled_timestamp": "2025-12-02T19:54:22.491585615Z", + "created_timestamp": "2025-12-02T19:54:22.491578586Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file system meets the on-sensor machine learning high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "b75d1505-b6cf-f011-9bdd-000d3a1e5143", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_written": [ + { + "filename": "f_00002c", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data", + "timestamp": "1764705197" + } + ], + "global_prevalence": "common", + "host_names": [ + "hobgoblin" + ], + "id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "local_prevalence": "common", + "local_process_id": "7424", + "logon_domain": "SKT", + "md5": "41ca85881332bec79131d8bce2d358ed", + "mitre_attack": [ + { + "pattern_id": 5733, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "OnWrite-MLSensor-High", + "network_accesses": [ + { + "access_timestamp": "1764108234", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "55172", + "protocol": "UDP", + "remote_address": "23.53.35.176", + "remote_port": "443" + }, + { + "access_timestamp": "1764108288", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51630", + "protocol": "TCP", + "remote_address": "13.107.246.40", + "remote_port": "443" + }, + { + "access_timestamp": "1764108294", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51636", + "protocol": "TCP", + "remote_address": "13.107.213.40", + "remote_port": "443" + }, + { + "access_timestamp": "1764108488", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51720", + "protocol": "TCP", + "remote_address": "150.171.29.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764108547", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51746", + "protocol": "TCP", + "remote_address": "150.171.22.17", + "remote_port": "443" + }, + { + "access_timestamp": "1764108854", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51870", + "protocol": "TCP", + "remote_address": "150.171.27.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764122695", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "57711", + "protocol": "TCP", + "remote_address": "150.171.28.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764134526", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "62690", + "protocol": "TCP", + "remote_address": "150.171.27.11", + "remote_port": "80" + }, + { + "access_timestamp": "1764137349", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "63882", + "protocol": "TCP", + "remote_address": "52.123.251.20", + "remote_port": "443" + }, + { + "access_timestamp": "1764151577", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "53506", + "protocol": "TCP", + "remote_address": "104.40.82.182", + "remote_port": "443" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "724", + "md5": "41ca85881332bec79131d8bce2d358ed", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "process_id": "9361162797", + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "timestamp": "2025-12-01T23:12:34.918Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "parent_process_id": "9361162797", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5733, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxsWbvQLRJ6wAJPKhJDaed8QAATiEYocvaVniX9vSKrWuPqv5oRu_d1FR1w4OIuTWCRYRGZA==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": "9362833350", + "process_start_time": "1763762626", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "show_in_ui": true, + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-02T19:53:20.492Z", + "tree_id": "4295649105", + "tree_root": "9362833350", + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9362833350", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:54:25.728530479Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter", + "user_principal": "Gunter@SKT.LOCAL", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "hobgoblin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 13:53:20", + "type": "ldt", + "updated_timestamp": "2025-12-02T19:54:25.728530479Z", + "user_name": "Gunter", + "agent_id": "87ef612d8acd4f6897cc9eb253469ee4", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --startup-read-main-dll --metrics-shmem-handle=1996,i,5858947215452628203,5136150853448467288,524288 --field-trial-handle=2788,i,2833603951753821707,13473991206173222606,262144 --variations-seed-version --trace-process-track-uuid=3190708989122997041 --mojo-platform-channel-handle=2816 /prefetch:3", + "control_graph_id": "ctg:87ef612d8acd4f6897cc9eb253469ee4:4295649105", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:12:30.808Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "87ef612d8acd4f6897cc9eb253469ee4", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:19:29Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "hobgoblin", + "instance_id": "818f39ae-50bd-4fe2-a47c-88c8806e70c2", + "last_seen": "2025-12-02T19:50:48Z", + "local_ip": "10.20.20.102", + "mac_address": "00-0d-3a-1e-51-43", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T19:53:26Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:87ef612d8acd4f6897cc9eb253469ee4:9362833350-5733-2323216", + "local_prevalence": "common", + "local_process_id": 7424, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 9362833350, + "process_start_time": 1763762626, + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "tree_id": 4295649105, + "tree_root": 9362833350, + "triggering_process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9362833350", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "email_sent": "true", + "event_correlation_id": "b75d1505-b6cf-f011-9bdd-000d3a1e5143", + "md5": "41ca85881332bec79131d8bce2d358ed", + "alleged_filetype": "exe", + "parent_process_id": 9361162797, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "724", + "md5": "41ca85881332bec79131d8bce2d358ed", + "process_graph_id": "pid:87ef612d8acd4f6897cc9eb253469ee4:9361162797", + "process_id": "9361162797", + "sha256": "39cfab8383597baa568918a634f973e13653466af7f61d41d541692b20443393", + "timestamp": "2025-12-01T23:12:34.918Z", + "user_graph_id": "uid:87ef612d8acd4f6897cc9eb253469ee4:S-1-5-21-4168186624-547105363-3065826963-1111", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1111", + "user_name": "Gunter" + }, + "grandparent_details": "", + "user_principal": "Gunter@SKT.LOCAL", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "f_00002c", + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data", + "timestamp": "1764705197" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764108234", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "55172", + "protocol": "UDP", + "remote_address": "23.53.35.176", + "remote_port": "443" + }, + { + "access_timestamp": "1764108288", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51630", + "protocol": "TCP", + "remote_address": "13.107.246.40", + "remote_port": "443" + }, + { + "access_timestamp": "1764108294", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51636", + "protocol": "TCP", + "remote_address": "13.107.213.40", + "remote_port": "443" + }, + { + "access_timestamp": "1764108488", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51720", + "protocol": "TCP", + "remote_address": "150.171.29.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764108547", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51746", + "protocol": "TCP", + "remote_address": "150.171.22.17", + "remote_port": "443" + }, + { + "access_timestamp": "1764108854", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "51870", + "protocol": "TCP", + "remote_address": "150.171.27.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764122695", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "57711", + "protocol": "TCP", + "remote_address": "150.171.28.11", + "remote_port": "443" + }, + { + "access_timestamp": "1764134526", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "62690", + "protocol": "TCP", + "remote_address": "150.171.27.11", + "remote_port": "80" + }, + { + "access_timestamp": "1764137349", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "63882", + "protocol": "TCP", + "remote_address": "52.123.251.20", + "remote_port": "443" + }, + { + "access_timestamp": "1764151577", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.102", + "local_port": "53506", + "protocol": "TCP", + "remote_address": "104.40.82.182", + "remote_port": "443" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Users\\Gunter\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Cache\\Cache_Data\\f_00002c", + "sha256": "fe9ea7be2021b0d02525c676ae0fd7276740bb090d1c2ac52c4904b54be3d2dc" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 17:59:28", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "zWFqeOripfhH4igFft6sOg==:5:61:140", + "_insert_time": "Dec 02 2025 17:59:46", + "_name": "ProtocolAnomalyValidAccounts", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "confidence": 20, + "context_timestamp": "Dec 02 2025 17:58:27", + "crawled_timestamp": "2025-12-02T23:59:28.580369574Z", + "created_timestamp": "2025-12-02T23:59:28.580360Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "display_name": "Suspicious protocol implementation (valid accounts)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "vm000000" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "occurred": "Dec 02 2025 17:59:28", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxem-1rbdyV3dWUSMi_KjwlAAATiEjUirY_JMi_yEnTrGE-nXrY3ba18-B2MlS2weWT0Oosg==", + "product": "idp", + "rawJSON": { + "active_directory_authentication_method": "5", + "activity_id": "CAC545A8-8109-40FF-9105-8E302603C3A9", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "alert_attributes": "0", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "confidence": 20, + "context_timestamp": "2025-12-02T23:58:27.000Z", + "crawled_timestamp": "2025-12-02T23:59:28.580369574Z", + "created_timestamp": "2025-12-02T23:59:28.580360Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "display_name": "Suspicious protocol implementation (valid accounts)", + "end_time": "2025-12-02T23:54:38.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "vm000000" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:439CD0F1-8679-456A-A250-24CF6977AE63", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "ProtocolAnomalyValidAccounts", + "objective": "Gain Access", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxem-1rbdyV3dWUSMi_KjwlAAATiEjUirY_JMi_yEnTrGE-nXrY3ba18-B2MlS2weWT0Oosg==", + "product": "idp", + "protocol_anomaly_classification": "1", + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Adalwolfa", + "source_account_object_guid": "E5DC79B5-FF69-4816-9B76-E90EAEDD2D39", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1112", + "source_endpoint_account_object_guid": "1A16C11A-C21A-3BA5-9FCD-684F012EEC73", + "source_endpoint_host_name": "vm000000", + "source_hosts": [ + "vm000000" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-02T23:54:38.000Z", + "status": "new", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "target_account_name": "KHABIBULIN$", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "technique": "Valid Accounts", + "technique_id": "T1078", + "timestamp": "2025-12-02T23:58:27.162Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-02T23:59:28.58036084Z", + "user_name": "Adalwolfa", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "vm000000" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 17:58:27", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-02T23:59:28.58036084Z", + "user_name": "Adalwolfa", + "agent_id": "", + "objective": "Gain Access", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "technique": "Valid Accounts", + "technique_id": "T1078", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 17:54:38", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-02T23:59:28.58036084Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Adalwolfa", + "source_account_object_guid": "E5DC79B5-FF69-4816-9B76-E90EAEDD2D39", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1112", + "source_endpoint_account_object_guid": "1A16C11A-C21A-3BA5-9FCD-684F012EEC73", + "source_endpoint_host_name": "vm000000", + "start_time": "Dec 02 2025 17:54:38", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "target_account_name": "KHABIBULIN$", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "CAC545A8-8109-40FF-9105-8E302603C3A9", + "alert_attributes": 0, + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": 5, + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": 1, + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 14:15:08", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "MfAUmP6ifdJAhHARO5+Q6w==:0:61:140", + "_insert_time": "Dec 02 2025 14:15:46", + "_name": "IdpPolicyAccessRuleMatch", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "confidence": 90, + "context_timestamp": "Dec 02 2025 14:08:26", + "crawled_timestamp": "2025-12-02T20:15:08.310285108Z", + "created_timestamp": "2025-12-02T20:15:08.310277Z", + "data_domains": [ + "Identity" + ], + "description": "A policy rule was triggered by a user access", + "display_name": "Policy rule match (access)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "WIN1-CRWD" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51144 + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "occurred": "Dec 02 2025 14:15:08", + "pattern_id": 51144, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxx_hUMF7PsIgjoALApTjD0gAATiELePD1y3J3z1GS6DcX8hcjZP5A35ragGr6P-bKCySPFg==", + "product": "idp", + "rawJSON": { + "agent_id": "8a812be3a24c4b65b095f31090a24ba6", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "confidence": 90, + "context_timestamp": "2025-12-02T20:08:26.960Z", + "crawled_timestamp": "2025-12-02T20:15:08.310285108Z", + "created_timestamp": "2025-12-02T20:15:08.310277Z", + "data_domains": [ + "Identity" + ], + "description": "A policy rule was triggered by a user access", + "destination_hosts": [ + "win1-crwd.managed.local" + ], + "display_name": "Policy rule match (access)", + "end_time": "2025-12-02T20:08:26.960Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "WIN1-CRWD" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:93C0348A-4F99-4316-96CF-283DE9B9AA8C", + "idp_policy_enforced_externally": "0", + "idp_policy_rule_action": "4", + "idp_policy_rule_action_list": [ + "MFA" + ], + "idp_policy_rule_id": "70FEEE10-CDDE-49FF-994E-4719842E15E3", + "idp_policy_rule_name": "Enforce MFA", + "idp_policy_rule_trigger": "1", + "mitre_attack": [ + { + "pattern_id": 51144 + } + ], + "name": "IdpPolicyAccessRuleMatch", + "pattern_id": 51144, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxx_hUMF7PsIgjoALApTjD0gAATiELePD1y3J3z1GS6DcX8hcjZP5A35ragGr6P-bKCySPFg==", + "product": "idp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 39, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "MANAGED.LOCAL", + "source_account_name": "user1", + "source_account_object_guid": "EAFEAC06-BCEF-42CF-BFD0-310C6E0321D1", + "source_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1105", + "source_account_sam_account_name": "user1", + "source_account_upn": "user1@managed.local", + "source_endpoint_account_object_guid": "7204B34C-CA3C-4A5C-A088-623D57DCE10A", + "source_endpoint_address_ip4": "10.0.11.204", + "source_endpoint_host_name": "WIN1-CRWD", + "source_endpoint_ip_address": "10.0.11.204", + "source_endpoint_sensor_id": "8a812be3a24c4b65b095f31090a24ba6", + "source_hosts": [ + "WIN1-CRWD" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-02T20:08:26.960Z", + "status": "new", + "target_account_name": "WIN1-CRWD$", + "target_endpoint_account_object_guid": "7204B34C-CA3C-4A5C-A088-623D57DCE10A", + "target_endpoint_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1106", + "target_endpoint_host_name": "win1-crwd.managed.local", + "target_endpoint_sensor_id": "8a812be3a24c4b65b095f31090a24ba6", + "timestamp": "2025-12-02T20:14:06.896Z", + "type": "idp-user-endpoint-app-info", + "updated_timestamp": "2025-12-02T20:15:08.310277384Z", + "user_name": "user1", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 39, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "WIN1-CRWD" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 14:14:06", + "type": "idp-user-endpoint-app-info", + "updated_timestamp": "2025-12-02T20:15:08.310277384Z", + "user_name": "user1", + "agent_id": "8a812be3a24c4b65b095f31090a24ba6", + "objective": "", + "tactic": "", + "tactic_id": "", + "technique": "", + "technique_id": "", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 14:08:26", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-02T20:15:08.310277384Z", + "source_account_domain": "MANAGED.LOCAL", + "source_account_name": "user1", + "source_account_object_guid": "EAFEAC06-BCEF-42CF-BFD0-310C6E0321D1", + "source_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1105", + "source_endpoint_account_object_guid": "7204B34C-CA3C-4A5C-A088-623D57DCE10A", + "source_endpoint_host_name": "WIN1-CRWD", + "start_time": "Dec 02 2025 14:08:26", + "destination_hosts": [ + "win1-crwd.managed.local" + ], + "target_account_name": "WIN1-CRWD$", + "target_endpoint_host_name": "win1-crwd.managed.local", + "target_endpoint_sensor_id": "8a812be3a24c4b65b095f31090a24ba6", + "source_endpoint_sensor_id": "8a812be3a24c4b65b095f31090a24ba6", + "target_endpoint_account_object_guid": "7204B34C-CA3C-4A5C-A088-623D57DCE10A", + "target_endpoint_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1106", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "user1@managed.local", + "source_endpoint_address_ip4": "10.0.11.204", + "source_endpoint_ip_address": "10.0.11.204", + "idp_policy_rule_id": "70FEEE10-CDDE-49FF-994E-4719842E15E3", + "idp_policy_rule_name": "Enforce MFA", + "source_account_sam_account_name": "user1", + "files_written": "", + "idp_policy_enforced_externally": 0, + "idp_policy_rule_action": 4, + "idp_policy_rule_action_list": [ + "MFA" + ], + "idp_policy_rule_trigger": 1, + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 13:09:48", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "fi2cE6IkNxy0RvDxMig8zg==:0:61:140", + "_insert_time": "Dec 02 2025 13:10:46", + "_name": "IdpPolicyAccessRuleMatch", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "confidence": 90, + "context_timestamp": "Dec 02 2025 13:07:55", + "crawled_timestamp": "2025-12-02T19:09:48.128536269Z", + "created_timestamp": "2025-12-02T19:09:48.128525Z", + "data_domains": [ + "Identity" + ], + "description": "A policy rule was triggered by a user access", + "display_name": "Policy rule match (access)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "WIN2-CRWD" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51144 + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "occurred": "Dec 02 2025 13:09:48", + "pattern_id": 51144, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxEmRHfJok0bQ1Xsnrp-DFIgAATiFgkaV7cKSuTHVee04sBGde2566tK1FdJTs83ka3MPXiA==", + "product": "idp", + "rawJSON": { + "agent_id": "9d0933e2976842beaaafa1efa257286d", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "confidence": 90, + "context_timestamp": "2025-12-02T19:07:55.962Z", + "crawled_timestamp": "2025-12-02T19:09:48.128536269Z", + "created_timestamp": "2025-12-02T19:09:48.128525Z", + "data_domains": [ + "Identity" + ], + "description": "A policy rule was triggered by a user access", + "destination_hosts": [ + "win2-crwd.managed.local" + ], + "display_name": "Policy rule match (access)", + "end_time": "2025-12-02T19:07:55.962Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "WIN2-CRWD" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:1235AD51-9380-4410-AB60-2D95EBF96668", + "idp_policy_enforced_externally": "0", + "idp_policy_rule_action": "4", + "idp_policy_rule_action_list": [ + "MFA" + ], + "idp_policy_rule_id": "70FEEE10-CDDE-49FF-994E-4719842E15E3", + "idp_policy_rule_name": "Enforce MFA", + "idp_policy_rule_trigger": "1", + "mitre_attack": [ + { + "pattern_id": 51144 + } + ], + "name": "IdpPolicyAccessRuleMatch", + "pattern_id": 51144, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxEmRHfJok0bQ1Xsnrp-DFIgAATiFgkaV7cKSuTHVee04sBGde2566tK1FdJTs83ka3MPXiA==", + "product": "idp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 39, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "MANAGED.LOCAL", + "source_account_name": "user1", + "source_account_object_guid": "EAFEAC06-BCEF-42CF-BFD0-310C6E0321D1", + "source_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1105", + "source_account_sam_account_name": "user1", + "source_account_upn": "user1@managed.local", + "source_endpoint_account_object_guid": "7E9B4DF8-3E67-4A40-AA14-0E0117D53DDE", + "source_endpoint_address_ip4": "10.0.11.34", + "source_endpoint_host_name": "WIN2-CRWD", + "source_endpoint_ip_address": "10.0.11.34", + "source_endpoint_sensor_id": "9d0933e2976842beaaafa1efa257286d", + "source_hosts": [ + "WIN2-CRWD" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-02T19:07:55.962Z", + "status": "new", + "target_account_name": "WIN2-CRWD$", + "target_endpoint_account_object_guid": "7E9B4DF8-3E67-4A40-AA14-0E0117D53DDE", + "target_endpoint_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1104", + "target_endpoint_host_name": "win2-crwd.managed.local", + "target_endpoint_sensor_id": "9d0933e2976842beaaafa1efa257286d", + "timestamp": "2025-12-02T19:08:46.744Z", + "type": "idp-user-endpoint-app-info", + "updated_timestamp": "2025-12-02T19:09:48.128525972Z", + "user_name": "user1", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 39, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "WIN2-CRWD" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 13:08:46", + "type": "idp-user-endpoint-app-info", + "updated_timestamp": "2025-12-02T19:09:48.128525972Z", + "user_name": "user1", + "agent_id": "9d0933e2976842beaaafa1efa257286d", + "objective": "", + "tactic": "", + "tactic_id": "", + "technique": "", + "technique_id": "", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 13:07:55", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-02T19:09:48.128525972Z", + "source_account_domain": "MANAGED.LOCAL", + "source_account_name": "user1", + "source_account_object_guid": "EAFEAC06-BCEF-42CF-BFD0-310C6E0321D1", + "source_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1105", + "source_endpoint_account_object_guid": "7E9B4DF8-3E67-4A40-AA14-0E0117D53DDE", + "source_endpoint_host_name": "WIN2-CRWD", + "start_time": "Dec 02 2025 13:07:55", + "destination_hosts": [ + "win2-crwd.managed.local" + ], + "target_account_name": "WIN2-CRWD$", + "target_endpoint_host_name": "win2-crwd.managed.local", + "target_endpoint_sensor_id": "9d0933e2976842beaaafa1efa257286d", + "source_endpoint_sensor_id": "9d0933e2976842beaaafa1efa257286d", + "target_endpoint_account_object_guid": "7E9B4DF8-3E67-4A40-AA14-0E0117D53DDE", + "target_endpoint_account_object_sid": "S-1-5-21-98835150-3848893693-3624133918-1104", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "user1@managed.local", + "source_endpoint_address_ip4": "10.0.11.34", + "source_endpoint_ip_address": "10.0.11.34", + "idp_policy_rule_id": "70FEEE10-CDDE-49FF-994E-4719842E15E3", + "idp_policy_rule_name": "Enforce MFA", + "source_account_sam_account_name": "user1", + "files_written": "", + "idp_policy_enforced_externally": 0, + "idp_policy_rule_action": 4, + "idp_policy_rule_action_list": [ + "MFA" + ], + "idp_policy_rule_trigger": 1, + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 12:01:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "B37C4LtogCzFpspGPSaZjA==:0:61:140", + "_insert_time": "Dec 04 2025 12:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "confidence": 70, + "context_timestamp": "Dec 04 2025 12:00:01", + "crawled_timestamp": "2025-12-04T18:01:04.940649361Z", + "created_timestamp": "2025-12-04T18:01:04.94064293Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "occurred": "Dec 04 2025 12:01:04", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjKuKVPSP7xOa9pcbs82viQAATiGTVYlfeIVvfc4Tqnzko8htTSEv22B74ktqs0mCn6zyxw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:33184195021" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "confidence": 70, + "context_timestamp": "2025-12-04T18:00:01.458Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "crawled_timestamp": "2025-12-04T18:01:04.940649361Z", + "created_timestamp": "2025-12-04T18:01:04.94064293Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T17:57:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:58:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "f1fbfaad-35d1-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "8984", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjKuKVPSP7xOa9pcbs82viQAATiGTVYlfeIVvfc4Tqnzko8htTSEv22B74ktqs0mCn6zyxw==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764871201", + "process_id": "33182403628", + "process_start_time": "1764871200", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-04T18:00:01.653Z", + "tree_id": "17205864801", + "tree_root": "33182403628", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:33182403628", + "type": "ldt", + "updated_timestamp": "2025-12-04T18:01:07.247723073Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 12:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T18:01:07.247723073Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T17:57:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:58:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-5708-117859344", + "local_prevalence": "low", + "local_process_id": 8984, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 33182403628, + "process_start_time": 1764871200, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17205864801, + "tree_root": 33182403628, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:33182403628", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f1fbfaad-35d1-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:33184195021" + ], + "process_end_time": 1764871201, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 04 2025 12:01:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "B37C4LtogCzFpspGPSaZjA==:1:61:140", + "_insert_time": "Dec 04 2025 12:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "confidence": 80, + "context_timestamp": "Dec 04 2025 12:00:01", + "crawled_timestamp": "2025-12-04T18:01:04.945348659Z", + "created_timestamp": "2025-12-04T18:01:04.945341977Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "occurred": "Dec 04 2025 12:01:04", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxbj6AwP3_XlvrAWzuOsQXvgAATiFJNxJYBdwr9yPhyHmkvMB0DA870GwFAg2wqu59JHNJ8A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:33184195021" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "confidence": 80, + "context_timestamp": "2025-12-04T18:00:01.458Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "crawled_timestamp": "2025-12-04T18:01:04.945348659Z", + "created_timestamp": "2025-12-04T18:01:04.945341977Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T17:57:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:58:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "f2fbfaad-35d1-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "8984", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxbj6AwP3_XlvrAWzuOsQXvgAATiFJNxJYBdwr9yPhyHmkvMB0DA870GwFAg2wqu59JHNJ8A==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764871201", + "process_id": "33182403628", + "process_start_time": "1764871200", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-04T18:00:01.653Z", + "tree_id": "17205864801", + "tree_root": "33182403628", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:33182403628", + "type": "ldt", + "updated_timestamp": "2025-12-04T18:01:07.254353639Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 04 2025 12:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-04T18:01:07.254353639Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17205864801", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-04T17:57:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-04T17:58:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:33182403628-10292-117859856", + "local_prevalence": "low", + "local_process_id": 8984, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 33182403628, + "process_start_time": 1764871200, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17205864801, + "tree_root": 33182403628, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:33182403628", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f2fbfaad-35d1-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:33184195021" + ], + "process_end_time": 1764871201, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:16", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:7:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:58:11", + "crawled_timestamp": "2025-12-03T00:59:13.823882121Z", + "created_timestamp": "2025-12-03T00:59:13.823874428Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "occurred": "Dec 02 2025 18:59:13", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxWjmImF2ohtVOgqKgxuRWbgAATiEy0bmCnzMzZHMbyWrqSbrA2x87bdluXgKZr8IV2p588g==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22929367612", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932460850", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932324740", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22941645755", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22938404596", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22939694495", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22940433508", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22937032160", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22934372369", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22942707638", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22947412512", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22945527344", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22946841105", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22943091356", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22951712169", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22953057293", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22954913349", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22960213473", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22961880068", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22963299314", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22964833839", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22966838889", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22977033969", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22981524096", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22988144656", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22990127295", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22991313301", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22997718250", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23002410332", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23005494925", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23004256385", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23009815108", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23015297716", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23037429480", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23041106103", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039956193", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23042157728", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039038761", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23036322375", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043080457", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043723110", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23046395010", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23050179075", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23052907227", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23054315794", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23056456253", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23058470623", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23067428383", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23074435654", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23076869641" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "confidence": 80, + "context_timestamp": "2025-12-03T00:58:11.490Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "crawled_timestamp": "2025-12-03T00:59:13.823882121Z", + "created_timestamp": "2025-12-03T00:59:13.823874428Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "email_sent": true, + "event_correlation_id": "cfa97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723491" + } + ], + "files_written": [ + { + "filename": "Microsoft Edge.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", + "timestamp": "1764719771" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_326536210", + "timestamp": "1764720132" + }, + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_572621730", + "timestamp": "1764720531" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_881493112", + "timestamp": "1764720788" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "4176", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22861421361", + "process_id": "22861421361", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-03T00:58:11Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "incident": { + "created": "2025-12-03T00:52:56Z", + "end": "2025-12-03T00:58:11Z", + "id": "inc:6440ce0fd5114f8e8e6cdcf0ebc5326c:c73245a39b5746338ac416daf1367112", + "score": "18.404261860216526", + "start": "2025-12-03T00:52:52Z" + }, + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "5868", + "logon_domain": "SKT", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "network_accesses": [ + { + "access_timestamp": "1764719776", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764723492", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52424", + "protocol": "TCP", + "remote_address": "91.52.62.203", + "remote_port": "80" + }, + { + "access_timestamp": "1764719776", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:745b:af14:1d46:a739", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "objective": "Follow Through", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10612", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22927701416", + "process_id": "22927701416", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-03T00:58:12Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "parent_process_id": "22927701416", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxWjmImF2ohtVOgqKgxuRWbgAATiEy0bmCnzMzZHMbyWrqSbrA2x87bdluXgKZr8IV2p588g==", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": "22928534850", + "process_start_time": "1764719753", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13395", + "timestamp": "2025-12-03T00:58:11.819Z", + "tree_id": "4300283680", + "tree_root": "22928534850", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:16.968465571Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa", + "user_principal": "Adalwolfa@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:11", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:16.968465571Z", + "user_name": "adalwolfa", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-10136-3889936", + "local_prevalence": "common", + "local_process_id": 5868, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 71 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 71, + "process_id": 22928534850, + "process_start_time": 1764719753, + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "tree_id": 4300283680, + "tree_root": 22928534850, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "email_sent": "true", + "event_correlation_id": "cfa97296-decf-f011-9bde-7c1e525c4876", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "alleged_filetype": "exe", + "parent_process_id": 22927701416, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10612", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22927701416", + "process_id": "22927701416", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-03T00:58:12Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "4176", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22861421361", + "process_id": "22861421361", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-03T00:58:11Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "user_principal": "Adalwolfa@skt.local", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22929367612", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932460850", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932324740", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22941645755", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22938404596", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22939694495", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22940433508", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22937032160", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22934372369", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22942707638", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22947412512", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22945527344", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22946841105", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22943091356", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22951712169", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22953057293", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22954913349", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22960213473", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22961880068", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22963299314", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22964833839", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22966838889", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22977033969", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22981524096", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22988144656", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22990127295", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22991313301", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22997718250", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23002410332", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23005494925", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23004256385", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23009815108", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23015297716", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23037429480", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23041106103", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039956193", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23042157728", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039038761", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23036322375", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043080457", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043723110", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23046395010", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23050179075", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23052907227", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23054315794", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23056456253", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23058470623", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23067428383", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23074435654", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23076869641" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-03T00:52:56Z", + "end": "2025-12-03T00:58:11Z", + "id": "inc:6440ce0fd5114f8e8e6cdcf0ebc5326c:c73245a39b5746338ac416daf1367112", + "score": "18.404261860216526", + "start": "2025-12-03T00:52:52Z" + }, + "template_instance_id": 13395, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "Microsoft Edge.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", + "timestamp": "1764719771" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_326536210", + "timestamp": "1764720132" + }, + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_572621730", + "timestamp": "1764720531" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_881493112", + "timestamp": "1764720788" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764719776", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764723492", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52424", + "protocol": "TCP", + "remote_address": "91.52.62.203", + "remote_port": "80" + }, + { + "access_timestamp": "1764719776", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:745b:af14:1d46:a739", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723491" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:14", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:6:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "MaliciousModule", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:58:09", + "crawled_timestamp": "2025-12-03T00:59:10.740708875Z", + "created_timestamp": "2025-12-03T00:59:10.740697734Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "display_name": "MaliciousModule", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "occurred": "Dec 02 2025 18:59:10", + "pattern_id": 10136, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxbYEruQGO3fCPeZZRp3mJgwAATiGxsomHmJAqOl_1EZARrOzWoEP1m7Y_rU8i5YdaIZJ-Ug==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "confidence": 80, + "context_timestamp": "2025-12-03T00:58:09.137Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "crawled_timestamp": "2025-12-03T00:59:10.740708875Z", + "created_timestamp": "2025-12-03T00:59:10.740697734Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MaliciousModule", + "email_sent": true, + "event_correlation_id": "b3a97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "files_accessed": [ + { + "filename": "history.jpg", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723489" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723489" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "592", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:132604397", + "process_id": "132604397", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "incident": { + "created": "2025-12-03T00:52:56Z", + "end": "2025-12-03T00:58:11Z", + "id": "inc:6440ce0fd5114f8e8e6cdcf0ebc5326c:c73245a39b5746338ac416daf1367112", + "score": "18.404261860216526", + "start": "2025-12-03T00:52:52Z" + }, + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "4856", + "logon_domain": "WORKGROUP", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "mitre_attack": [ + { + "pattern_id": 10136, + "tactic_id": "TA0002", + "technique_id": "T1129", + "tactic": "Execution", + "technique": "Shared Modules" + } + ], + "name": "MaliciousModule", + "objective": "Follow Through", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "12557689", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10136, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxbYEruQGO3fCPeZZRp3mJgwAATiGxsomHmJAqOl_1EZARrOzWoEP1m7Y_rU8i5YdaIZJ-Ug==", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10136: A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "[MOD] The process is: svchost.exe", + "[MOD] The parent process was identified as: services.exe", + "[MOD] The grandparent process was identified as: wininit.exe" + ], + "priority_value": 96, + "process_id": "23289889682", + "process_start_time": "1764723488", + "product": "epp", + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "template_instance_id": "13035", + "timestamp": "2025-12-03T00:58:09.896Z", + "tree_id": "4298474062", + "tree_root": "23289889682", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.178650219Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "known_malware", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.178650219Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Follow Through", + "tactic": "Execution", + "tactic_id": "TA0002", + "technique": "Shared Modules", + "technique_id": "T1129", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "global_prevalence": "common", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682-10136-3858960", + "local_prevalence": "common", + "local_process_id": 4856, + "logon_domain": "WORKGROUP", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 96 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10136: A process loaded a module that shares characteristics with a known malicious file. Review the modules loaded by the process.", + "[MOD] The process is: svchost.exe", + "[MOD] The parent process was identified as: services.exe", + "[MOD] The grandparent process was identified as: wininit.exe" + ], + "priority_value": 96, + "process_id": 23289889682, + "process_start_time": 1764723488, + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "tree_id": 4298474062, + "tree_root": 23289889682, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b3a97296-decf-f011-9bde-7c1e525c4876", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "alleged_filetype": "exe", + "parent_process_id": 12557689, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "wininit.exe", + "filename": "wininit.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe", + "local_process_id": "592", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:132604397", + "process_id": "132604397", + "sha256": "fe7a0b26e504062b3a424d540e3f1f5cab8f2db5a421fbbb8b779122d11bd2af", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-03T00:52:56Z", + "end": "2025-12-03T00:58:11Z", + "id": "inc:6440ce0fd5114f8e8e6cdcf0ebc5326c:c73245a39b5746338ac416daf1367112", + "score": "18.404261860216526", + "start": "2025-12-03T00:52:52Z" + }, + "template_instance_id": 13035, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "history.jpg", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723489" + }, + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723489" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 00:01:04", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "hIYIi7t8/K7UPaBnYAcpPA==:0:61:140", + "_insert_time": "Dec 03 2025 00:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "confidence": 80, + "context_timestamp": "Dec 03 2025 00:00:00", + "crawled_timestamp": "2025-12-03T06:01:02.92225707Z", + "created_timestamp": "2025-12-03T06:01:02.922251789Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "occurred": "Dec 03 2025 00:01:02", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjiYu_eBikxurm8UyD45eygAATiFmzCGcYqAC7mylDOB7zVd6oQY0yJK82raSDXaeARr59w==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31814444001" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "confidence": 80, + "context_timestamp": "2025-12-03T06:00:00.811Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "crawled_timestamp": "2025-12-03T06:01:02.92225707Z", + "created_timestamp": "2025-12-03T06:01:02.922251789Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T05:45:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T05:56:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "80c681de-09d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "7528", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjiYu_eBikxurm8UyD45eygAATiFmzCGcYqAC7mylDOB7zVd6oQY0yJK82raSDXaeARr59w==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764741600", + "process_id": "31813363062", + "process_start_time": "1764741600", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-03T06:00:01.011Z", + "tree_id": "17199237263", + "tree_root": "31813363062", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31813363062", + "type": "ldt", + "updated_timestamp": "2025-12-03T06:01:04.331120462Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 00:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T06:01:04.331120462Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T05:45:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T05:56:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-10292-31837200", + "local_prevalence": "low", + "local_process_id": 7528, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 31813363062, + "process_start_time": 1764741600, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17199237263, + "tree_root": 31813363062, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31813363062", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "80c681de-09d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31814444001" + ], + "process_end_time": 1764741600, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 12:01:09", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "yT5wYShnE3RxtfMuxLU+yg==:1:61:140", + "_insert_time": "Dec 03 2025 12:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "confidence": 80, + "context_timestamp": "Dec 03 2025 12:00:01", + "crawled_timestamp": "2025-12-03T18:01:04.812889634Z", + "created_timestamp": "2025-12-03T18:01:04.812873987Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "occurred": "Dec 03 2025 12:01:04", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxvt_hIUOS89RM7D5XEunz0wAATiEGioCEd5QD-ttbdWZAkkav-YYkRVVZjZT8rDJgQPWfyA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32210998498" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "confidence": 80, + "context_timestamp": "2025-12-03T18:00:01.204Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "crawled_timestamp": "2025-12-03T18:01:04.812889634Z", + "created_timestamp": "2025-12-03T18:01:04.812873987Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T17:38:01Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T17:56:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "3dae1afe-6fd0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "7472", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxvt_hIUOS89RM7D5XEunz0wAATiEGioCEd5QD-ttbdWZAkkav-YYkRVVZjZT8rDJgQPWfyA==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764784801", + "process_id": "32209142763", + "process_start_time": "1764784800", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-03T18:00:01.363Z", + "tree_id": "17201164696", + "tree_root": "32209142763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32209142763", + "type": "ldt", + "updated_timestamp": "2025-12-03T18:01:09.397079286Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 12:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T18:01:09.397079286Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T17:38:01Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T17:56:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-10292-60245776", + "local_prevalence": "low", + "local_process_id": 7472, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 32209142763, + "process_start_time": 1764784800, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17201164696, + "tree_root": 32209142763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32209142763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "3dae1afe-6fd0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32210998498" + ], + "process_end_time": 1764784801, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:14", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:2:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:58:07", + "crawled_timestamp": "2025-12-03T00:59:10.105478484Z", + "created_timestamp": "2025-12-03T00:59:10.105468017Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "occurred": "Dec 02 2025 18:59:10", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7Aw7Lsux8tw3q6CFNomJiQAATiEkXUFngXkctPtLJ5OHjKWGVOn_uFCMKcTqv9Sg9sRVYQ==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "confidence": 80, + "context_timestamp": "2025-12-03T00:58:07.800Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "crawled_timestamp": "2025-12-03T00:59:10.105478484Z", + "created_timestamp": "2025-12-03T00:59:10.105468017Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "02a97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "4156", + "logon_domain": "WORKGROUP", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23286303500", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7Aw7Lsux8tw3q6CFNomJiQAATiEkXUFngXkctPtLJ5OHjKWGVOn_uFCMKcTqv9Sg9sRVYQ==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The process is: wsqmanager.exe", + "[MOD] The parent process was identified as: PSEXESVC.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764723490", + "process_id": "23287195737", + "process_start_time": "1764723487", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-03T00:58:08.27Z", + "tree_id": "4297103684", + "tree_root": "23287195737", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.778598076Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.778598076Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\"", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-10292-3815184", + "local_prevalence": "low", + "local_process_id": 4156, + "logon_domain": "WORKGROUP", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The process is: wsqmanager.exe", + "[MOD] The parent process was identified as: PSEXESVC.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 23287195737, + "process_start_time": 1764723487, + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "tree_id": 4297103684, + "tree_root": 23287195737, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "02a97296-decf-f011-9bde-7c1e525c4876", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "alleged_filetype": "exe", + "parent_process_id": 23286303500, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "process_end_time": 1764723490, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + }, + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:01:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/tsm9hXv3uqu2NHuaujlWg==:1:61:140", + "_insert_time": "Dec 02 2025 18:01:47", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:00:01", + "crawled_timestamp": "2025-12-03T00:01:04.351015333Z", + "created_timestamp": "2025-12-03T00:01:04.351008008Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "occurred": "Dec 02 2025 18:01:04", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYXppSYw8QfnNVjXhFGpajQAATiGzMHjicQrlzeI3V8LTVkaHJ8azXt70XBr_3b92_KEpow==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31534286955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "confidence": 80, + "context_timestamp": "2025-12-03T00:00:01.506Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "crawled_timestamp": "2025-12-03T00:01:04.351015333Z", + "created_timestamp": "2025-12-03T00:01:04.351008008Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "353d88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "7152", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYXppSYw8QfnNVjXhFGpajQAATiGzMHjicQrlzeI3V8LTVkaHJ8azXt70XBr_3b92_KEpow==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764720001", + "process_id": "31533573281", + "process_start_time": "1764720001", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-03T00:00:01.885Z", + "tree_id": "17186097233", + "tree_root": "31533573281", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31533573281", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:01:05.813004817Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:01:05.813004817Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-10292-17079824", + "local_prevalence": "low", + "local_process_id": 7152, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 31533573281, + "process_start_time": 1764720001, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17186097233, + "tree_root": 31533573281, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31533573281", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "353d88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31534286955" + ], + "process_end_time": 1764720001, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 06:01:07", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "uZr1+UZgjDOLE9T5EPRoyQ==:1:61:140", + "_insert_time": "Dec 03 2025 06:01:46", + "_name": "RemoteFileCopy", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "confidence": 80, + "context_timestamp": "Dec 03 2025 06:00:01", + "crawled_timestamp": "2025-12-03T12:01:06.70224695Z", + "created_timestamp": "2025-12-03T12:01:06.702237862Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "display_name": "RemoteFileCopy", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "occurred": "Dec 03 2025 06:01:06", + "pattern_id": 10292, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxTioK2zttsblAJKofUGZlVQAATiFqw1ywvmqWq0gG9C0mWpI1spPI_naLkZJhpqHr-ZIjoQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32005807947" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "confidence": 80, + "context_timestamp": "2025-12-03T12:00:01.141Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "crawled_timestamp": "2025-12-03T12:01:06.70224695Z", + "created_timestamp": "2025-12-03T12:01:06.702237862Z", + "data_domains": [ + "Endpoint" + ], + "description": "A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T11:57:59Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T11:59:04Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "RemoteFileCopy", + "email_sent": true, + "event_correlation_id": "268ec173-3ad0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "ioc_context": [], + "local_prevalence": "low", + "local_process_id": "3260", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 10292, + "tactic_id": "TA0011", + "technique_id": "T1105", + "tactic": "Command and Control", + "technique": "Ingress Tool Transfer" + } + ], + "name": "RemoteFileCopy", + "objective": "Contact Controlled Systems", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10292, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxTioK2zttsblAJKofUGZlVQAATiFqw1ywvmqWq0gG9C0mWpI1spPI_naLkZJhpqHr-ZIjoQ==", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_end_time": "1764763201", + "process_id": "32004767323", + "process_start_time": "1764763200", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "template_instance_id": "7090", + "timestamp": "2025-12-03T12:00:01.28Z", + "tree_id": "17200638911", + "tree_root": "32004767323", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32004767323", + "type": "ldt", + "updated_timestamp": "2025-12-03T12:01:07.771226687Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 06:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T12:01:07.771226687Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Contact Controlled Systems", + "tactic": "Command and Control", + "tactic_id": "TA0011", + "technique": "Ingress Tool Transfer", + "technique_id": "T1105", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T11:57:59Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T11:59:04Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-10292-46118672", + "local_prevalence": "low", + "local_process_id": 3260, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 93 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10292: A process unexpectedly wrote and ran an executable. Malware often subverts otherwise benign processes to write and run malicious payloads. Investigate the process tree.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 93, + "process_id": 32004767323, + "process_start_time": 1764763200, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17200638911, + "tree_root": 32004767323, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32004767323", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "268ec173-3ad0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32005807947" + ], + "process_end_time": 1764763201, + "incident": "", + "template_instance_id": 7090, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:33:18", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7rli1yUcgxTMjQOP6n2Xsg==:2:61:140", + "_insert_time": "Dec 02 2025 18:33:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:32:12", + "crawled_timestamp": "2025-12-03T00:33:15.07405673Z", + "created_timestamp": "2025-12-03T00:33:15.074049184Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "occurred": "Dec 02 2025 18:33:15", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVnBfGrnb6uwKQC8J_ETYjgAATiGBvTBytQY5tw5zaKcV-3Pkr589fVtqOGx376jgTSCYZw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31584758629" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "confidence": 80, + "context_timestamp": "2025-12-03T00:32:12.474Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "crawled_timestamp": "2025-12-03T00:33:15.07405673Z", + "created_timestamp": "2025-12-03T00:33:15.074049184Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "d14588a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "372", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "1752", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "process_id": "31583001571", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31583001571", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxVnBfGrnb6uwKQC8J_ETYjgAATiGBvTBytQY5tw5zaKcV-3Pkr589fVtqOGx376jgTSCYZw==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31583234829", + "process_start_time": "1764721932", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:32:13.144Z", + "tree_id": "17190948835", + "tree_root": "31583001571", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:33:18.725583837Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:32:13", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:33:18.725583837Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583234829-10357-17722384", + "local_prevalence": "common", + "local_process_id": 372, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31583234829, + "process_start_time": 1764721932, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17190948835, + "tree_root": 31583001571, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "d14588a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31583001571, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "1752", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "process_id": "31583001571", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31584758629" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:15", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:1:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17198037699", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:58:07", + "crawled_timestamp": "2025-12-03T00:59:09.755439806Z", + "created_timestamp": "2025-12-03T00:59:09.755431537Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "occurred": "Dec 02 2025 18:59:09", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxQB-v-mWhb7Qj7I0bq5KqkQAATiGGnzFphZJoNn8jAvMU6RLoooSN26oqkD1WfLBjko79Ew==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17198037699", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -d C:\\Windows\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "confidence": 80, + "context_timestamp": "2025-12-03T00:58:07.230Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17198037699", + "crawled_timestamp": "2025-12-03T00:59:09.755439806Z", + "created_timestamp": "2025-12-03T00:59:09.755431537Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "678a3cb1-e0cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "files_written": [ + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\Mup\\khabibulin\\ADMIN$", + "timestamp": "1764723487" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:58:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:58:07Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878896", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "4196", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "network_accesses": [ + { + "access_timestamp": "1764723487", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50516", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "135" + }, + { + "access_timestamp": "1764723487", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50517", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "49670" + } + ], + "objective": "Keep Access", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:58:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxQB-v-mWhb7Qj7I0bq5KqkQAATiGGnzFphZJoNn8jAvMU6RLoooSN26oqkD1WfLBjko79Ew==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_end_time": "1764723488", + "process_id": "31643601738", + "process_start_time": "1764723487", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:58:07.653Z", + "tree_id": "17198037699", + "tree_root": "31643601738", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31643601738", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:15.804668485Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:07", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:15.804668485Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -d C:\\Windows\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17198037699", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31643601738-10357-18957840", + "local_prevalence": "common", + "local_process_id": 4196, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_id": 31643601738, + "process_start_time": 1764723487, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17198037699, + "tree_root": 31643601738, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31643601738", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "678a3cb1-e0cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:58:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:58:30Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": "", + "process_end_time": 1764723488, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:58:07Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878896", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\Mup\\khabibulin\\ADMIN$", + "timestamp": "1764723487" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764723487", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50516", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "135" + }, + { + "access_timestamp": "1764723487", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50517", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "49670" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:37:45", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "VoCyK7AZI8A1c69tb8vqxA==:1:61:140", + "_insert_time": "Dec 02 2025 18:38:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:36:38", + "crawled_timestamp": "2025-12-03T00:37:40.56181638Z", + "created_timestamp": "2025-12-03T00:37:40.561810509Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "occurred": "Dec 02 2025 18:37:40", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIcAk6gI9SU7mC07Oanu9TQAATiEQA_fvxdBobzp0K3jnGxJmCSw72wEIGTmQyoIazPdv-A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31600843279" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "confidence": 80, + "context_timestamp": "2025-12-03T00:36:38.653Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "crawled_timestamp": "2025-12-03T00:37:40.56181638Z", + "created_timestamp": "2025-12-03T00:37:40.561810509Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "b54888a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "6080", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "3272", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "process_id": "31598667333", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:36:57Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31598667333", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIcAk6gI9SU7mC07Oanu9TQAATiEQA_fvxdBobzp0K3jnGxJmCSw72wEIGTmQyoIazPdv-A==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_end_time": "1764722227", + "process_id": "31599624476", + "process_start_time": "1764722198", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:36:39.044Z", + "tree_id": "17192322901", + "tree_root": "31598667333", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:45.201233224Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:36:39", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:45.201233224Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31599624476-10357-17832208", + "local_prevalence": "common", + "local_process_id": 6080, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31599624476, + "process_start_time": 1764722198, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17192322901, + "tree_root": 31598667333, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b54888a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31598667333, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "3272", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "process_id": "31598667333", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:36:57Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31600843279" + ], + "process_end_time": 1764722227, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:53:59", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "kEIFaXqWklRE3r2imslNFA==:0:61:140", + "_insert_time": "Dec 02 2025 18:54:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17195519089", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:52:52", + "crawled_timestamp": "2025-12-03T00:53:54.22675048Z", + "created_timestamp": "2025-12-03T00:53:54.226735807Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "occurred": "Dec 02 2025 18:53:54", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxm48Xmn_dmujdgRWCysQE1wAATiFUiknxs2KBBQSxFBVpX9sOQqm9FpVvfbw4Eby813grdg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17195519089", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s cmd /c \"whoami\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "confidence": 80, + "context_timestamp": "2025-12-03T00:52:52.325Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17195519089", + "crawled_timestamp": "2025-12-03T00:53:54.22675048Z", + "created_timestamp": "2025-12-03T00:53:54.226735807Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:52:24Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "5d843cb1-e0cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "files_written": [ + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\Mup\\khabibulin\\ADMIN$", + "timestamp": "1764723172" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:52:52Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878899", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "8140", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "network_accesses": [ + { + "access_timestamp": "1764723172", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50221", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "49670" + }, + { + "access_timestamp": "1764723172", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50220", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "135" + } + ], + "objective": "Keep Access", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxm48Xmn_dmujdgRWCysQE1wAATiFUiknxs2KBBQSxFBVpX9sOQqm9FpVvfbw4Eby813grdg==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_end_time": "1764723173", + "process_id": "31639198850", + "process_start_time": "1764723172", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:52:52.622Z", + "tree_id": "17195519089", + "tree_root": "31639198850", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31639198850", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:53:59.047146687Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:52:52", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:53:59.047146687Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s cmd /c \"whoami\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17195519089", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:52:24Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31639198850-10357-18698512", + "local_prevalence": "common", + "local_process_id": 8140, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_id": 31639198850, + "process_start_time": 1764723172, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17195519089, + "tree_root": 31639198850, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31639198850", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "5d843cb1-e0cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": "", + "process_end_time": 1764723173, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:52:52Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878899", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\Mup\\khabibulin\\ADMIN$", + "timestamp": "1764723172" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764723172", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50221", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "49670" + }, + { + "access_timestamp": "1764723172", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.10.9", + "local_port": "50220", + "protocol": "TCP", + "remote_address": "10.20.20.104", + "remote_port": "135" + } + ], + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:02:19", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "D4Zh/K0UJre5PMkq1ewZnw==:2:61:140", + "_insert_time": "Dec 02 2025 18:02:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:01:07", + "crawled_timestamp": "2025-12-03T00:02:13.245961684Z", + "created_timestamp": "2025-12-03T00:02:13.245953277Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "occurred": "Dec 02 2025 18:02:13", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjKzcPe46qbT-iSOCp96kVQAATiFO9ADSWYCoPwz1H892qgmqNdw-fNRTyxKr9N7ftEswpA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31539238927" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "confidence": 80, + "context_timestamp": "2025-12-03T00:01:07.757Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "crawled_timestamp": "2025-12-03T00:02:13.245961684Z", + "created_timestamp": "2025-12-03T00:02:13.245953277Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "c23d88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "3644", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8336", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "process_id": "31537454329", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:02:08Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31537454329", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxjKzcPe46qbT-iSOCp96kVQAATiFO9ADSWYCoPwz1H892qgmqNdw-fNRTyxKr9N7ftEswpA==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31538251082", + "process_start_time": "1764720067", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:01:08.167Z", + "tree_id": "17187057379", + "tree_root": "31537454329", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:19.195784108Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:01:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:19.195784108Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31538251082-10357-17125136", + "local_prevalence": "common", + "local_process_id": 3644, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31538251082, + "process_start_time": 1764720067, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17187057379, + "tree_root": 31537454329, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "c23d88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31537454329, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8336", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "process_id": "31537454329", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:02:08Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31539238927" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:57:47", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "ZHiNHjb30BnR5oisKJp5gA==:0:61:140", + "_insert_time": "Dec 02 2025 18:58:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17197558907", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:56:40", + "crawled_timestamp": "2025-12-03T00:57:43.225042058Z", + "created_timestamp": "2025-12-03T00:57:43.2250345Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "occurred": "Dec 02 2025 18:57:43", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxzmAE0O-JaXnBn0HW_ocWEQAATiHQjEzGzrUOt0F7KLCMkPktWwG5xNCi6YeM7UvU0VXdfw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17197558907", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -d -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "confidence": 80, + "context_timestamp": "2025-12-03T00:56:40.570Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17197558907", + "crawled_timestamp": "2025-12-03T00:57:43.225042058Z", + "created_timestamp": "2025-12-03T00:57:43.2250345Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "ad883cb1-e0cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:56:40Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878898", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "6312", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxzmAE0O-JaXnBn0HW_ocWEQAATiHQjEzGzrUOt0F7KLCMkPktWwG5xNCi6YeM7UvU0VXdfw==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_id": "31641615191", + "process_start_time": "1764723400", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:56:41.18Z", + "tree_id": "17197558907", + "tree_root": "31641615191", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31641615191", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:57:47.450096894Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:56:41", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:57:47.450096894Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -d -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17197558907", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31641615191-10357-18890512", + "local_prevalence": "common", + "local_process_id": 6312, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_id": 31641615191, + "process_start_time": 1764723400, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17197558907, + "tree_root": 31641615191, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31641615191", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "ad883cb1-e0cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": "", + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:56:40Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878898", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:55:23", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "RS+aak2r/DtTZf3iaBk+bg==:0:61:140", + "_insert_time": "Dec 02 2025 18:56:25", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17196083067", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:54:17", + "crawled_timestamp": "2025-12-03T00:55:19.93042415Z", + "created_timestamp": "2025-12-03T00:55:19.930416197Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "occurred": "Dec 02 2025 18:55:19", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHOmqDPcuI10yXFMbmrjCsQAATiETSJFM0Dsb9Xy5bTlIftUvTgRB01mtGZ_EtYxVHxkGdA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17196083067", + "alleged_filetype": "exe", + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "confidence": 80, + "context_timestamp": "2025-12-03T00:54:17.973Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17196083067", + "crawled_timestamp": "2025-12-03T00:55:19.93042415Z", + "created_timestamp": "2025-12-03T00:55:19.930416197Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "26863cb1-e0cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:54:17Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878898", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "4144", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxHOmqDPcuI10yXFMbmrjCsQAATiETSJFM0Dsb9Xy5bTlIftUvTgRB01mtGZ_EtYxVHxkGdA==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_end_time": "1764723286", + "process_id": "31640385797", + "process_start_time": "1764723257", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:54:18.103Z", + "tree_id": "17196083067", + "tree_root": "31640385797", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31640385797", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:55:23.952166543Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:54:18", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:55:23.952166543Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -accepteula -s -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17196083067", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:51:56Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:54:32Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31640385797-10357-18781712", + "local_prevalence": "common", + "local_process_id": 4144, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 95, + "process_id": 31640385797, + "process_start_time": 1764723257, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17196083067, + "tree_root": 31640385797, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31640385797", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "26863cb1-e0cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:53:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-03T00:53:14Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": "", + "process_end_time": 1764723286, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:54:17Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.96218337878898", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:22:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "U4pz2suBpxlrCrteLclIIQ==:1:61:140", + "_insert_time": "Dec 02 2025 18:22:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:21:03", + "crawled_timestamp": "2025-12-03T00:22:03.843544855Z", + "created_timestamp": "2025-12-03T00:22:03.843539207Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "occurred": "Dec 02 2025 18:22:03", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxpb0FYLMZZv-RKOsZ6D_qnwAATiEL-tTNwpvFTDenFXCVd5M-cMb1mUOLylEVnU2q08WPFQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31572538897" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "confidence": 80, + "context_timestamp": "2025-12-03T00:21:03.130Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "crawled_timestamp": "2025-12-03T00:22:03.843544855Z", + "created_timestamp": "2025-12-03T00:22:03.843539207Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "5f4388a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "7460", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "1956", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "process_id": "31570313914", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:21:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31570313914", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxpb0FYLMZZv-RKOsZ6D_qnwAATiEL-tTNwpvFTDenFXCVd5M-cMb1mUOLylEVnU2q08WPFQ==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31570631061", + "process_start_time": "1764721262", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:21:03.178Z", + "tree_id": "17190132029", + "tree_root": "31570313914", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.609375034Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:21:03", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.609375034Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570631061-10357-17570320", + "local_prevalence": "common", + "local_process_id": 7460, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31570631061, + "process_start_time": 1764721262, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17190132029, + "tree_root": 31570313914, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "5f4388a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31570313914, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "1956", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "process_id": "31570313914", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:21:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31572538897" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:39:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "tqgh5PguWXCugcHqFlbVow==:3:61:140", + "_insert_time": "Dec 02 2025 18:39:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:38:23", + "crawled_timestamp": "2025-12-03T00:39:25.132404953Z", + "created_timestamp": "2025-12-03T00:39:25.132397668Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "occurred": "Dec 02 2025 18:39:25", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxb9QiyLdxEvcXP3L37kmJYgAATiEeaJZWGwy5aafwWFa9HabfKtvzOTiizg6TL1RgKDeZrg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31606283897" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "confidence": 80, + "context_timestamp": "2025-12-03T00:38:23.104Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "crawled_timestamp": "2025-12-03T00:39:25.132404953Z", + "created_timestamp": "2025-12-03T00:39:25.132397668Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "aa4988a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "7112", + "logon_domain": "SKT", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8696", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "process_id": "31604130129", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31604130129", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxb9QiyLdxEvcXP3L37kmJYgAATiEeaJZWGwy5aafwWFa9HabfKtvzOTiizg6TL1RgKDeZrg==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31605401641", + "process_start_time": "1764722303", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:38:23.425Z", + "tree_id": "17192868185", + "tree_root": "31604130129", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:30.388400683Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:38:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:30.388400683Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31605401641-10357-17885712", + "local_prevalence": "common", + "local_process_id": 7112, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31605401641, + "process_start_time": 1764722303, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17192868185, + "tree_root": 31604130129, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "aa4988a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31604130129, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "8696", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "process_id": "31604130129", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31606283897" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:11:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "2IzbGs1QFj2qZqah+Xz7ZQ==:2:61:140", + "_insert_time": "Dec 02 2025 18:11:47", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:10:22", + "crawled_timestamp": "2025-12-03T00:11:24.625285281Z", + "created_timestamp": "2025-12-03T00:11:24.625278427Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "occurred": "Dec 02 2025 18:11:24", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7pQwKS2OklK2ad_Qfjy7WwAATiG1zcQn2EBJc0-djwb2JT84mm-gSIZxzgesm_Bw5LTTiQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31554708338" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "confidence": 80, + "context_timestamp": "2025-12-03T00:10:22.866Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "crawled_timestamp": "2025-12-03T00:11:24.625285281Z", + "created_timestamp": "2025-12-03T00:11:24.625278427Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "ca4088a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "4196", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "7320", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "process_id": "31552203028", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:11:07Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31552203028", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx7pQwKS2OklK2ad_Qfjy7WwAATiG1zcQn2EBJc0-djwb2JT84mm-gSIZxzgesm_Bw5LTTiQ==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31553095157", + "process_start_time": "1764720622", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:10:23.113Z", + "tree_id": "17188296914", + "tree_root": "31552203028", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:30.566364069Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:10:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:30.566364069Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31553095157-10357-17401104", + "local_prevalence": "common", + "local_process_id": 4196, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31553095157, + "process_start_time": 1764720622, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17188296914, + "tree_root": 31552203028, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ca4088a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31552203028, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "7320", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "process_id": "31552203028", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:11:07Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31554708338" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:05:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "J7GxmZwa2WHyK8vLGEdjOA==:2:61:140", + "_insert_time": "Dec 02 2025 18:05:46", + "_name": "GenericMasqueradingDefenseEvasion", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:04:28", + "crawled_timestamp": "2025-12-03T00:05:29.749996409Z", + "created_timestamp": "2025-12-03T00:05:29.749989113Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "display_name": "MasqueradingDefenseEvasion", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "occurred": "Dec 02 2025 18:05:29", + "pattern_id": 10357, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxS19qPEuONt2vnIaKH_DNAwAATiHMzTzUVvUd9mU-VLYHk7zuwOFpeOQV6ynyjjLM82GYOw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547669447" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "confidence": 80, + "context_timestamp": "2025-12-03T00:04:28.596Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "crawled_timestamp": "2025-12-03T00:05:29.749996409Z", + "created_timestamp": "2025-12-03T00:05:29.749989113Z", + "data_domains": [ + "Endpoint" + ], + "description": "An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MasqueradingDefenseEvasion", + "email_sent": true, + "event_correlation_id": "5c3f88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "ioc_context": [], + "local_prevalence": "common", + "local_process_id": "8784", + "logon_domain": "NT AUTHORITY", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "mitre_attack": [ + { + "pattern_id": 10357, + "tactic_id": "TA0005", + "technique_id": "T1036", + "tactic": "Defense Evasion", + "technique": "Masquerading" + } + ], + "name": "GenericMasqueradingDefenseEvasion", + "objective": "Keep Access", + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "4356", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "process_id": "31545616295", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:05:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31545616295", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10357, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxS19qPEuONt2vnIaKH_DNAwAATiHMzTzUVvUd9mU-VLYHk7zuwOFpeOQV6ynyjjLM82GYOw==", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": "31547104654", + "process_start_time": "1764720268", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "template_instance_id": "4348", + "timestamp": "2025-12-03T00:04:28.949Z", + "tree_id": "17187585782", + "tree_root": "31545616295", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:31.45221507Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:04:28", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:31.45221507Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Keep Access", + "tactic": "Defense Evasion", + "tactic_id": "TA0005", + "technique": "Masquerading", + "technique_id": "T1036", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\wsqsp.exe \\\\khabibulin -s -accepteula -c C:\\Windows\\System32\\wsqmanager.exe", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqsp.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wsqsp.exe", + "global_prevalence": "common", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31547104654-10357-17237520", + "local_prevalence": "common", + "local_process_id": 8784, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 95 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10357: An executable appears to have been manipulated to evade detection. Adversaries can abuse file names, paths, and headers to masquerade malware as a safe or legitimate file. Review the executable and process tree.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 95, + "process_id": 31547104654, + "process_start_time": 1764720268, + "sha256": "078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b", + "tree_id": 17187585782, + "tree_root": 31545616295, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "5c3f88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "24a648a48741b1ac809e47b9543c6f12", + "alleged_filetype": "exe", + "parent_process_id": 31545616295, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "local_process_id": "4356", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "process_id": "31545616295", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "timestamp": "2025-12-03T00:05:13Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547669447" + ], + "process_end_time": "", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 4348, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:32:52", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7rli1yUcgxTMjQOP6n2Xsg==:1:61:140", + "_insert_time": "Dec 02 2025 18:33:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:31:47", + "crawled_timestamp": "2025-12-03T00:32:49.848474933Z", + "created_timestamp": "2025-12-03T00:32:49.848465669Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "occurred": "Dec 02 2025 18:32:49", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxoJ0uFiDpheaN4s4ealtXvgAATiEnVmh5_-gosCMHJBDJRWn2vVTYaufLKQ_Z93aaJKbiwg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "confidence": 80, + "context_timestamp": "2025-12-03T00:31:47.958Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "crawled_timestamp": "2025-12-03T00:32:49.848474933Z", + "created_timestamp": "2025-12-03T00:32:49.848465669Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "4f4588a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "1752", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxoJ0uFiDpheaN4s4ealtXvgAATiEnVmh5_-gosCMHJBDJRWn2vVTYaufLKQ_Z93aaJKbiwg==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 94, + "process_end_time": "1764721932", + "process_id": "31583001571", + "process_start_time": "1764721907", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:31:48.351Z", + "tree_id": "17190948835", + "tree_root": "31583001571", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:32:52.27265773Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:31:48", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:32:52.27265773Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-10365-17699856", + "local_prevalence": "unique", + "local_process_id": 1752, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 94, + "process_id": 31583001571, + "process_start_time": 1764721907, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190948835, + "tree_root": 31583001571, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "4f4588a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "process_end_time": 1764721932, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:02:18", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "D4Zh/K0UJre5PMkq1ewZnw==:3:61:140", + "_insert_time": "Dec 02 2025 18:02:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:01:07", + "crawled_timestamp": "2025-12-03T00:02:13.254764876Z", + "created_timestamp": "2025-12-03T00:02:13.254756049Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "occurred": "Dec 02 2025 18:02:13", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxOhnUplkXy-9-PX9JKub_WwAATiEkxY5JhyZxwqazcn6gTh0FBRDdd2-ZXojDzebOgeSu7g==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "confidence": 80, + "context_timestamp": "2025-12-03T00:01:07.585Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "crawled_timestamp": "2025-12-03T00:02:13.254764876Z", + "created_timestamp": "2025-12-03T00:02:13.254756049Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "613d88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8336", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31535633401", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxOhnUplkXy-9-PX9JKub_WwAATiEkxY5JhyZxwqazcn6gTh0FBRDdd2-ZXojDzebOgeSu7g==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764720067", + "process_id": "31537454329", + "process_start_time": "1764720067", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:01:08.041Z", + "tree_id": "17187057379", + "tree_root": "31537454329", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:18.380518676Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:01:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:18.380518676Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-10365-17106960", + "local_prevalence": "unique", + "local_process_id": 8336, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31537454329, + "process_start_time": 1764720067, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187057379, + "tree_root": 31537454329, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "613d88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31535633401, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "process_end_time": 1764720067, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:05:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "J7GxmZwa2WHyK8vLGEdjOA==:0:61:140", + "_insert_time": "Dec 02 2025 18:05:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:04:28", + "crawled_timestamp": "2025-12-03T00:05:29.738496347Z", + "created_timestamp": "2025-12-03T00:05:29.738488583Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "occurred": "Dec 02 2025 18:05:29", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxk2lN-ntxFpoGZrhx3VW8uwAATiEVhmG1eJEAxjlUs6_ANlSM3ICaZX_TEMtLv3Et38kXYw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "confidence": 80, + "context_timestamp": "2025-12-03T00:04:28.346Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "crawled_timestamp": "2025-12-03T00:05:29.738496347Z", + "created_timestamp": "2025-12-03T00:05:29.738488583Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "f83e88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "4356", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31544142101", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxk2lN-ntxFpoGZrhx3VW8uwAATiEVhmG1eJEAxjlUs6_ANlSM3ICaZX_TEMtLv3Et38kXYw==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764720268", + "process_id": "31545616295", + "process_start_time": "1764720268", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:04:28.823Z", + "tree_id": "17187585782", + "tree_root": "31545616295", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:31.129989777Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:04:28", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:31.129989777Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-10365-17218320", + "local_prevalence": "unique", + "local_process_id": 4356, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31545616295, + "process_start_time": 1764720268, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187585782, + "tree_root": 31545616295, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f83e88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31544142101, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "process_end_time": 1764720268, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:22:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "U4pz2suBpxlrCrteLclIIQ==:2:61:140", + "_insert_time": "Dec 02 2025 18:22:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:21:01", + "crawled_timestamp": "2025-12-03T00:22:03.851622782Z", + "created_timestamp": "2025-12-03T00:22:03.851572006Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "occurred": "Dec 02 2025 18:22:03", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYdQoxQDDqo88yCKujTcU5wAATiEXlNMHNXIxsPc6DdMkuZFfMNfzOzwxJIybvZGwIPZ-ag==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "confidence": 80, + "context_timestamp": "2025-12-03T00:21:01.520Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "crawled_timestamp": "2025-12-03T00:22:03.851622782Z", + "created_timestamp": "2025-12-03T00:22:03.851572006Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "f64288a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "1956", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31566672392", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYdQoxQDDqo88yCKujTcU5wAATiEXlNMHNXIxsPc6DdMkuZFfMNfzOzwxJIybvZGwIPZ-ag==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764721263", + "process_id": "31570313914", + "process_start_time": "1764721261", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:21:01.974Z", + "tree_id": "17190132029", + "tree_root": "31570313914", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.721817561Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:21:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.721817561Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-10365-17551376", + "local_prevalence": "unique", + "local_process_id": 1956, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31570313914, + "process_start_time": 1764721261, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190132029, + "tree_root": 31570313914, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f64288a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31566672392, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "process_end_time": 1764721263, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:11:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "2IzbGs1QFj2qZqah+Xz7ZQ==:0:61:140", + "_insert_time": "Dec 02 2025 18:11:47", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:10:22", + "crawled_timestamp": "2025-12-03T00:11:24.609508892Z", + "created_timestamp": "2025-12-03T00:11:24.609502293Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "occurred": "Dec 02 2025 18:11:24", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxpfD9p_HGSS50ilIhge8GnwAATiG5BYaphOlipKazdyjY-UvqY0Rf81lWch_dTK8Zj0kpEQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "confidence": 80, + "context_timestamp": "2025-12-03T00:10:22.585Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "crawled_timestamp": "2025-12-03T00:11:24.609508892Z", + "created_timestamp": "2025-12-03T00:11:24.609502293Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "664088a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "7320", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31549696836", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxpfD9p_HGSS50ilIhge8GnwAATiG5BYaphOlipKazdyjY-UvqY0Rf81lWch_dTK8Zj0kpEQ==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764720623", + "process_id": "31552203028", + "process_start_time": "1764720622", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:10:22.966Z", + "tree_id": "17188296914", + "tree_root": "31552203028", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:30.30625456Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:10:22", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:30.30625456Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-10365-17382928", + "local_prevalence": "unique", + "local_process_id": 7320, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31552203028, + "process_start_time": 1764720622, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17188296914, + "tree_root": 31552203028, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "664088a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31549696836, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "process_end_time": 1764720623, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:39:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "tqgh5PguWXCugcHqFlbVow==:2:61:140", + "_insert_time": "Dec 02 2025 18:39:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:38:22", + "crawled_timestamp": "2025-12-03T00:39:25.131748557Z", + "created_timestamp": "2025-12-03T00:39:25.131738929Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "occurred": "Dec 02 2025 18:39:25", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx2V03Ru5XKmhyl7Tte0GchAAATiGVtEbnUYkP-VV5tGBtTtDooFautRmuV9QV2L8uUQIo7w==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "confidence": 80, + "context_timestamp": "2025-12-03T00:38:22.932Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "crawled_timestamp": "2025-12-03T00:39:25.131748557Z", + "created_timestamp": "2025-12-03T00:39:25.131738929Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "494988a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8696", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31602170662", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx2V03Ru5XKmhyl7Tte0GchAAATiGVtEbnUYkP-VV5tGBtTtDooFautRmuV9QV2L8uUQIo7w==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764722303", + "process_id": "31604130129", + "process_start_time": "1764722302", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:38:23.355Z", + "tree_id": "17192868185", + "tree_root": "31604130129", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:30.375120924Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:38:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:30.375120924Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-10365-17878800", + "local_prevalence": "unique", + "local_process_id": 8696, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31604130129, + "process_start_time": 1764722302, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192868185, + "tree_root": 31604130129, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "494988a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31602170662, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "process_end_time": 1764722303, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:37:42", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "vJ+R5Kn5YSQ6vkVUlz2+kA==:0:61:140", + "_insert_time": "Dec 02 2025 18:37:46", + "_name": "PassTheTicketLateralMovement", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "confidence": 80, + "context_timestamp": "Dec 02 2025 18:36:38", + "crawled_timestamp": "2025-12-03T00:37:40.553861003Z", + "created_timestamp": "2025-12-03T00:37:40.553856419Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "display_name": "PassTheTicketLateralMovement", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "occurred": "Dec 02 2025 18:37:40", + "pattern_id": 10365, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSAAkEVPvnM2F12_UUYwrswAATiGESsi9kqZX62lSCwZXphr56aAASCoB_K3X3yXRad8yAA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "confidence": 80, + "context_timestamp": "2025-12-03T00:36:38.481Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "crawled_timestamp": "2025-12-03T00:37:40.553861003Z", + "created_timestamp": "2025-12-03T00:37:40.553856419Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PassTheTicketLateralMovement", + "email_sent": true, + "event_correlation_id": "544888a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "3272", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 10365, + "tactic_id": "TA0008", + "technique_id": "T1550.003", + "tactic": "Lateral Movement", + "technique": "Pass the Ticket" + } + ], + "name": "PassTheTicketLateralMovement", + "objective": "Explore", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31596455941", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 10365, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxSAAkEVPvnM2F12_UUYwrswAATiGESsi9kqZX62lSCwZXphr56aAASCoB_K3X3yXRad8yAA==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_end_time": "1764722198", + "process_id": "31598667333", + "process_start_time": "1764722198", + "product": "epp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "template_instance_id": "13890", + "timestamp": "2025-12-03T00:36:38.905Z", + "tree_id": "17192322901", + "tree_root": "31598667333", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:42.899078998Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:36:38", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:42.899078998Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Explore", + "tactic": "Lateral Movement", + "tactic_id": "TA0008", + "technique": "Pass the Ticket", + "technique_id": "T1550.003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-10365-17812752", + "local_prevalence": "unique", + "local_process_id": 3272, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 10365: A suspicious process used kerberos tickets for authentication. Adversaries can use this for lateral movement efforts. Review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 94, + "process_id": 31598667333, + "process_start_time": 1764722198, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192322901, + "tree_root": 31598667333, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "544888a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31596455941, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "process_end_time": 1764722198, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": 13890, + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:37:40", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "vJ+R5Kn5YSQ6vkVUlz2+kA==:1:61:140", + "_insert_time": "Dec 02 2025 18:37:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:36:38", + "crawled_timestamp": "2025-12-03T00:37:40.558204804Z", + "created_timestamp": "2025-12-03T00:37:40.558197513Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "occurred": "Dec 02 2025 18:37:40", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxgggwYQfZyyZ0Lgx9ow9PIAAATiF_-49Cbp8adFb2NpZqkc2PKT_s4BiPYiURO6twleyNaw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "confidence": 70, + "context_timestamp": "2025-12-03T00:36:38.622Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "crawled_timestamp": "2025-12-03T00:37:40.558204804Z", + "created_timestamp": "2025-12-03T00:37:40.558197513Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "event_correlation_id": "a44888a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "3272", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31596455941", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxgggwYQfZyyZ0Lgx9ow9PIAAATiF_-49Cbp8adFb2NpZqkc2PKT_s4BiPYiURO6twleyNaw==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764722198", + "process_id": "31598667333", + "process_start_time": "1764722198", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:36:39.044Z", + "tree_id": "17192322901", + "tree_root": "31598667333", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:40.558197513Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:36:39", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:40.558197513Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-262-17830672", + "local_prevalence": "unique", + "local_process_id": 3272, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31598667333, + "process_start_time": 1764722198, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192322901, + "tree_root": 31598667333, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "user_id": "S-1-5-18", + "email_sent": "", + "event_correlation_id": "a44888a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31596455941, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "process_end_time": 1764722198, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:02:18", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "D4Zh/K0UJre5PMkq1ewZnw==:0:61:140", + "_insert_time": "Dec 02 2025 18:02:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:01:07", + "crawled_timestamp": "2025-12-03T00:02:13.234072231Z", + "created_timestamp": "2025-12-03T00:02:13.234064108Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "occurred": "Dec 02 2025 18:02:13", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxCmftdjjuinSvPGyXw3TmdAAATiFL7j9rGBrbkfH0vG-g_JWP5KFxcdpGXm8Q4tLMp-is9Q==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "confidence": 70, + "context_timestamp": "2025-12-03T00:01:07.710Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "crawled_timestamp": "2025-12-03T00:02:13.234072231Z", + "created_timestamp": "2025-12-03T00:02:13.234064108Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "ad3d88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8336", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31535633401", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxCmftdjjuinSvPGyXw3TmdAAATiFL7j9rGBrbkfH0vG-g_JWP5KFxcdpGXm8Q4tLMp-is9Q==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764720067", + "process_id": "31537454329", + "process_start_time": "1764720067", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:01:08.105Z", + "tree_id": "17187057379", + "tree_root": "31537454329", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:18.376163261Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:01:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:18.376163261Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-262-17122576", + "local_prevalence": "unique", + "local_process_id": 8336, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31537454329, + "process_start_time": 1764720067, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187057379, + "tree_root": 31537454329, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "ad3d88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31535633401, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "process_end_time": 1764720067, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:11:29", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "2IzbGs1QFj2qZqah+Xz7ZQ==:3:61:140", + "_insert_time": "Dec 02 2025 18:11:47", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:10:22", + "crawled_timestamp": "2025-12-03T00:11:24.660295985Z", + "created_timestamp": "2025-12-03T00:11:24.660289704Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "occurred": "Dec 02 2025 18:11:24", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxW_JIh19iCP7M2U0ugvE_AAATiGe7gBrOkqE4ZbkeuPWWuMfaAi3D5d66bPSiXgEWnAU8A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "confidence": 70, + "context_timestamp": "2025-12-03T00:10:22.772Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "crawled_timestamp": "2025-12-03T00:11:24.660295985Z", + "created_timestamp": "2025-12-03T00:11:24.660289704Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "b04088a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "7320", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31549696836", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxxW_JIh19iCP7M2U0ugvE_AAATiGe7gBrOkqE4ZbkeuPWWuMfaAi3D5d66bPSiXgEWnAU8A==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764720623", + "process_id": "31552203028", + "process_start_time": "1764720622", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:10:23.04Z", + "tree_id": "17188296914", + "tree_root": "31552203028", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:29.025329994Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:10:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:29.025329994Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-262-17398032", + "local_prevalence": "unique", + "local_process_id": 7320, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31552203028, + "process_start_time": 1764720622, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17188296914, + "tree_root": 31552203028, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b04088a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31549696836, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "process_end_time": 1764720623, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:22:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "U4pz2suBpxlrCrteLclIIQ==:3:61:140", + "_insert_time": "Dec 02 2025 18:22:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:21:02", + "crawled_timestamp": "2025-12-03T00:22:03.859690877Z", + "created_timestamp": "2025-12-03T00:22:03.859683227Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "occurred": "Dec 02 2025 18:22:03", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxOUNVQv_ytiJl2otiF39ugQAATiESfqeBwSiO2cCCguK73-tQdD1419omEiQSJ2x7gLz25g==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "confidence": 70, + "context_timestamp": "2025-12-03T00:21:02.958Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "crawled_timestamp": "2025-12-03T00:22:03.859690877Z", + "created_timestamp": "2025-12-03T00:22:03.859683227Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "454388a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "1956", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31566672392", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxOUNVQv_ytiJl2otiF39ugQAATiESfqeBwSiO2cCCguK73-tQdD1419omEiQSJ2x7gLz25g==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764721263", + "process_id": "31570313914", + "process_start_time": "1764721261", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:21:03.178Z", + "tree_id": "17190132029", + "tree_root": "31570313914", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.526794674Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:21:03", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.526794674Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-262-17566736", + "local_prevalence": "unique", + "local_process_id": 1956, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31570313914, + "process_start_time": 1764721261, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190132029, + "tree_root": 31570313914, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "454388a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31566672392, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "process_end_time": 1764721263, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:39:29", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "tqgh5PguWXCugcHqFlbVow==:1:61:140", + "_insert_time": "Dec 02 2025 18:39:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:38:23", + "crawled_timestamp": "2025-12-03T00:39:25.124113322Z", + "created_timestamp": "2025-12-03T00:39:25.124106394Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "occurred": "Dec 02 2025 18:39:25", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxITRetBC8WMrTECsSnjP8XQAATiFKO3jrPar4B7yUD9OZCuYYelPl_lwH5un68rPcoZFgqg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "confidence": 70, + "context_timestamp": "2025-12-03T00:38:23.057Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "crawled_timestamp": "2025-12-03T00:39:25.124113322Z", + "created_timestamp": "2025-12-03T00:39:25.124106394Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "954988a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "8696", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31602170662", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxITRetBC8WMrTECsSnjP8XQAATiFKO3jrPar4B7yUD9OZCuYYelPl_lwH5un68rPcoZFgqg==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764722303", + "process_id": "31604130129", + "process_start_time": "1764722302", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:38:23.425Z", + "tree_id": "17192868185", + "tree_root": "31604130129", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:29.627912181Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:38:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:29.627912181Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-262-17883664", + "local_prevalence": "unique", + "local_process_id": 8696, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31604130129, + "process_start_time": 1764722302, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192868185, + "tree_root": 31604130129, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "954988a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31602170662, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "process_end_time": 1764722303, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:05:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "J7GxmZwa2WHyK8vLGEdjOA==:3:61:140", + "_insert_time": "Dec 02 2025 18:05:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:04:28", + "crawled_timestamp": "2025-12-03T00:05:29.755890828Z", + "created_timestamp": "2025-12-03T00:05:29.75588473Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "occurred": "Dec 02 2025 18:05:29", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx5VSQtofLQXjCLGZIiSwrngAATiH18zM0K4ti1aglUvVRBEBlh6dPnnRxeKEgdQaGgTYmDw==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "confidence": 70, + "context_timestamp": "2025-12-03T00:04:28.517Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "crawled_timestamp": "2025-12-03T00:05:29.755890828Z", + "created_timestamp": "2025-12-03T00:05:29.75588473Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "423f88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "4356", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31544142101", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx5VSQtofLQXjCLGZIiSwrngAATiH18zM0K4ti1aglUvVRBEBlh6dPnnRxeKEgdQaGgTYmDw==", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_end_time": "1764720268", + "process_id": "31545616295", + "process_start_time": "1764720268", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:04:28.887Z", + "tree_id": "17187585782", + "tree_root": "31545616295", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:30.820770381Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:04:28", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:30.820770381Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-262-17233936", + "local_prevalence": "unique", + "local_process_id": 4356, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 67 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred" + ], + "priority_value": 67, + "process_id": 31545616295, + "process_start_time": 1764720268, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187585782, + "tree_root": 31545616295, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "423f88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31544142101, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "process_end_time": 1764720268, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:33:18", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7rli1yUcgxTMjQOP6n2Xsg==:3:61:140", + "_insert_time": "Dec 02 2025 18:33:46", + "_name": "SuspiciousLsassMemoryRead", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:32:12", + "crawled_timestamp": "2025-12-03T00:33:15.078801742Z", + "created_timestamp": "2025-12-03T00:33:15.078790097Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "display_name": "LsassMemoryReadSuspicious", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "occurred": "Dec 02 2025 18:33:15", + "pattern_id": 262, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxae4L2hFJLUIwi3aEZGaBHQAATiFzvsb7oU9YxdUaVp1jPaVNNgNubnKaarpKeywGm5Ougg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "alleged_filetype": "exe", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "confidence": 70, + "context_timestamp": "2025-12-03T00:32:12.271Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "crawled_timestamp": "2025-12-03T00:33:15.078801742Z", + "created_timestamp": "2025-12-03T00:33:15.078790097Z", + "data_domains": [ + "Endpoint" + ], + "description": "A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "LsassMemoryReadSuspicious", + "email_sent": true, + "event_correlation_id": "b74588a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "ioc_context": [], + "local_prevalence": "unique", + "local_process_id": "1752", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 262, + "tactic_id": "TA0006", + "technique_id": "T1003", + "tactic": "Credential Access", + "technique": "OS Credential Dumping" + } + ], + "name": "SuspiciousLsassMemoryRead", + "objective": "Gain Access", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 262, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxae4L2hFJLUIwi3aEZGaBHQAATiFzvsb7oU9YxdUaVp1jPaVNNgNubnKaarpKeywGm5Ougg==", + "priority_details": { + "raw_value": 92 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 262: A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 92, + "process_end_time": "1764721932", + "process_id": "31583001571", + "process_start_time": "1764721907", + "product": "epp", + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "timestamp": "2025-12-03T00:32:13.144Z", + "tree_id": "17190948835", + "tree_root": "31583001571", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:33:18.857886146Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:32:13", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:33:18.857886146Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "OS Credential Dumping", + "technique_id": "T1003", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-262-17719312", + "local_prevalence": "unique", + "local_process_id": 1752, + "logon_domain": "SKT", + "pattern_disposition": 272, + "pattern_disposition_description": "Detection, process would have been killed if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": true, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 92 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted to kill process, but no prevention occurred", + "[MOD] The detection is based on Pattern 262: A suspicious process read lsass memory. Adversaries often use this to steal credentials. If credentials were dumped, change your passwords and review the process tree.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 92, + "process_id": 31583001571, + "process_start_time": 1764721907, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190948835, + "tree_root": 31583001571, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "b74588a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "process_end_time": 1764721932, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "", + "ioc_value": "", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [], + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:39:31", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "tqgh5PguWXCugcHqFlbVow==:0:61:140", + "_insert_time": "Dec 02 2025 18:39:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:38:22", + "crawled_timestamp": "2025-12-03T00:39:25.114196828Z", + "created_timestamp": "2025-12-03T00:39:25.114179824Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "occurred": "Dec 02 2025 18:39:25", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxk2TKm-4k3oyiPLgNsS8r7gAATiHyvzULiYazzVfxggF5pz4uV6GMIV966U4WJFHoYD-V1A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "confidence": 70, + "context_timestamp": "2025-12-03T00:38:22.917Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "crawled_timestamp": "2025-12-03T00:39:25.114196828Z", + "created_timestamp": "2025-12-03T00:39:25.114179824Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "454988a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "8696", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "31602170662", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxk2TKm-4k3oyiPLgNsS8r7gAATiHyvzULiYazzVfxggF5pz4uV6GMIV966U4WJFHoYD-V1A==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764722303", + "process_id": "31604130129", + "process_start_time": "1764722302", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:38:23.355Z", + "tree_id": "17192868185", + "tree_root": "31604130129", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:31.422617155Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:38:23", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:39:31.422617155Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192868185", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31604130129-5702-17877264", + "local_prevalence": "unique", + "local_process_id": 8696, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31604130129, + "process_start_time": 1764722302, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192868185, + "tree_root": 31604130129, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31604130129", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "454988a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31602170662, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "8252", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31602170662", + "process_id": "31602170662", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:39:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31605401641" + ], + "process_end_time": 1764722303, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:38:26Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:02:20", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "D4Zh/K0UJre5PMkq1ewZnw==:1:61:140", + "_insert_time": "Dec 02 2025 18:02:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:01:07", + "crawled_timestamp": "2025-12-03T00:02:13.234601392Z", + "created_timestamp": "2025-12-03T00:02:13.234592694Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "occurred": "Dec 02 2025 18:02:13", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxuGw0KNYzkLg-xoXvKFL8WwAATiHg89D1zTsV9OmI17r3xGp8aY8jtQ9Xg_bNbhTU2W05lQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "confidence": 70, + "context_timestamp": "2025-12-03T00:01:07.570Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "crawled_timestamp": "2025-12-03T00:02:13.234601392Z", + "created_timestamp": "2025-12-03T00:02:13.234592694Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "5d3d88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "8336", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31535633401", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxuGw0KNYzkLg-xoXvKFL8WwAATiHg89D1zTsV9OmI17r3xGp8aY8jtQ9Xg_bNbhTU2W05lQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764720067", + "process_id": "31537454329", + "process_start_time": "1764720067", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:01:08.041Z", + "tree_id": "17187057379", + "tree_root": "31537454329", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:20.194218842Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:01:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:02:20.194218842Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187057379", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31537454329-5702-17105168", + "local_prevalence": "unique", + "local_process_id": 8336, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31537454329, + "process_start_time": 1764720067, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187057379, + "tree_root": 31537454329, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31537454329", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "5d3d88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31535633401, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "3444", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31535633401", + "process_id": "31535633401", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:01:10Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31538251082" + ], + "process_end_time": 1764720067, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:01:10Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:05:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "J7GxmZwa2WHyK8vLGEdjOA==:1:61:140", + "_insert_time": "Dec 02 2025 18:05:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:04:28", + "crawled_timestamp": "2025-12-03T00:05:29.745104569Z", + "created_timestamp": "2025-12-03T00:05:29.745098114Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "occurred": "Dec 02 2025 18:05:29", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-x8FLLg42E-4FZe_Xmf3UQAATiHwQKHSIppdc2jKIJ5zA7J4_yqmmV_OcZ9lpYwsL6jvQg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "confidence": 70, + "context_timestamp": "2025-12-03T00:04:28.314Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "crawled_timestamp": "2025-12-03T00:05:29.745104569Z", + "created_timestamp": "2025-12-03T00:05:29.745098114Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "f63e88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "4356", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31544142101", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-x8FLLg42E-4FZe_Xmf3UQAATiHwQKHSIppdc2jKIJ5zA7J4_yqmmV_OcZ9lpYwsL6jvQg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764720268", + "process_id": "31545616295", + "process_start_time": "1764720268", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:04:28.822Z", + "tree_id": "17187585782", + "tree_root": "31545616295", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:30.857519109Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:04:28", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:05:30.857519109Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17187585782", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:02:29Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31545616295-5702-17217040", + "local_prevalence": "unique", + "local_process_id": 4356, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31545616295, + "process_start_time": 1764720268, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17187585782, + "tree_root": 31545616295, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31545616295", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f63e88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31544142101, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2360", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31544142101", + "process_id": "31544142101", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:04:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31547104654" + ], + "process_end_time": 1764720268, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:04:31Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:37:45", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "VoCyK7AZI8A1c69tb8vqxA==:0:61:140", + "_insert_time": "Dec 02 2025 18:38:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:36:38", + "crawled_timestamp": "2025-12-03T00:37:40.561686031Z", + "created_timestamp": "2025-12-03T00:37:40.561677531Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "occurred": "Dec 02 2025 18:37:40", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxnmHa92iat937gMm7ZVattAAATiF9SepWEUyKQtg58Js40dduTxn7TPtUaFAP6vJLiqdjNg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "confidence": 70, + "context_timestamp": "2025-12-03T00:36:38.450Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "crawled_timestamp": "2025-12-03T00:37:40.561686031Z", + "created_timestamp": "2025-12-03T00:37:40.561677531Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "504888a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "3272", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31596455941", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxnmHa92iat937gMm7ZVattAAATiF9SepWEUyKQtg58Js40dduTxn7TPtUaFAP6vJLiqdjNg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764722198", + "process_id": "31598667333", + "process_start_time": "1764722198", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:36:38.905Z", + "tree_id": "17192322901", + "tree_root": "31598667333", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:45.195080216Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:36:38", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:37:45.195080216Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17192322901", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31598667333-5702-17811472", + "local_prevalence": "unique", + "local_process_id": 3272, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31598667333, + "process_start_time": 1764722198, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17192322901, + "tree_root": 31598667333, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31598667333", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "504888a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31596455941, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "6348", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31596455941", + "process_id": "31596455941", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:37:00Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31599624476" + ], + "process_end_time": 1764722198, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:36:41Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:22:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "U4pz2suBpxlrCrteLclIIQ==:0:61:140", + "_insert_time": "Dec 02 2025 18:22:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:21:01", + "crawled_timestamp": "2025-12-03T00:22:03.83998266Z", + "created_timestamp": "2025-12-03T00:22:03.8399749Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "occurred": "Dec 02 2025 18:22:03", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxLo-DJNGnParVLQZM5nQjdQAATiFGrgxLKIRVLit0nHw-QvbQkIrgyd-eUfE87Ixjy6HuwA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "confidence": 70, + "context_timestamp": "2025-12-03T00:21:01.161Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "crawled_timestamp": "2025-12-03T00:22:03.83998266Z", + "created_timestamp": "2025-12-03T00:22:03.8399749Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "f44288a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "1956", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31566672392", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxLo-DJNGnParVLQZM5nQjdQAATiFGrgxLKIRVLit0nHw-QvbQkIrgyd-eUfE87Ixjy6HuwA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764721263", + "process_id": "31570313914", + "process_start_time": "1764721261", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:21:01.974Z", + "tree_id": "17190132029", + "tree_root": "31570313914", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.705390045Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:21:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:22:05.705390045Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190132029", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:18:16Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31570313914-5702-17550096", + "local_prevalence": "unique", + "local_process_id": 1956, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31570313914, + "process_start_time": 1764721261, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190132029, + "tree_root": 31570313914, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31570313914", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f44288a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31566672392, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "656", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31566672392", + "process_id": "31566672392", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:21:25Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-03T00:19:39Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31570631061" + ], + "process_end_time": 1764721263, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:21:05Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:32:52", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "7rli1yUcgxTMjQOP6n2Xsg==:0:61:140", + "_insert_time": "Dec 02 2025 18:33:46", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:31:47", + "crawled_timestamp": "2025-12-03T00:32:49.830644572Z", + "created_timestamp": "2025-12-03T00:32:49.830633539Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "occurred": "Dec 02 2025 18:32:49", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYNLlUnX6D-k_cBeuaz1mWQAATiGUHDI1-ovQyfsOWYrObRKff3w6H7MtfsWzZgTklZwQkQ==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "confidence": 70, + "context_timestamp": "2025-12-03T00:31:47.677Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "crawled_timestamp": "2025-12-03T00:32:49.830644572Z", + "created_timestamp": "2025-12-03T00:32:49.830633539Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "4c4588a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "1752", + "logon_domain": "SKT", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "parent_process_id": "31577270089", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxYNLlUnX6D-k_cBeuaz1mWQAATiGUHDI1-ovQyfsOWYrObRKff3w6H7MtfsWzZgTklZwQkQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_end_time": "1764721932", + "process_id": "31583001571", + "process_start_time": "1764721907", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:31:48.351Z", + "tree_id": "17190948835", + "tree_root": "31583001571", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:32:52.289243514Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda", + "user_principal": "Frieda@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:31:48", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:32:52.289243514Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17190948835", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:11:55Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:32:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31583001571-5702-17698064", + "local_prevalence": "unique", + "local_process_id": 1752, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 99, + "process_id": 31583001571, + "process_start_time": 1764721907, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17190948835, + "tree_root": 31583001571, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31583001571", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "email_sent": "true", + "event_correlation_id": "4c4588a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31577270089, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Windows\\system32\\cmd.exe\" ", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "2992", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31577270089", + "process_id": "31577270089", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:32:23Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "local_process_id": "5028", + "md5": "5847f8c39e840cf9881a950f3b6df389", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31351618955", + "process_id": "31351618955", + "sha256": "ad4f5fc22a47a521015e8139478555c505f0071c4c2020211f1e806603b89ae8", + "timestamp": "2025-12-02T23:44:31Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-21-4168186624-547105363-3065826963-1113", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1113", + "user_name": "Frieda" + }, + "user_principal": "Frieda@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31583234829" + ], + "process_end_time": 1764721932, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:32:15Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.0988927227357", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:11:29", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "2IzbGs1QFj2qZqah+Xz7ZQ==:1:61:140", + "_insert_time": "Dec 02 2025 18:11:47", + "_name": "MLSensor-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:10:22", + "crawled_timestamp": "2025-12-03T00:11:24.616730211Z", + "created_timestamp": "2025-12-03T00:11:24.616724155Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "display_name": "MLSensor-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "occurred": "Dec 02 2025 18:11:24", + "pattern_id": 5702, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxFP57l6_WkTe_cHdH-SAa4gAATiHWaqcPUO7aObRTDrMrKI-OIVYCVgrLleMgiKP5LjLwXA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "confidence": 70, + "context_timestamp": "2025-12-03T00:10:22.538Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "crawled_timestamp": "2025-12-03T00:11:24.616730211Z", + "created_timestamp": "2025-12-03T00:11:24.616724155Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "MLSensor-High", + "email_sent": true, + "event_correlation_id": "644088a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "local_prevalence": "unique", + "local_process_id": "7320", + "logon_domain": "NT AUTHORITY", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "mitre_attack": [ + { + "pattern_id": 5702, + "tactic_id": "CSTA0004", + "technique_id": "CST0007", + "tactic": "Machine Learning", + "technique": "Sensor-based ML" + } + ], + "name": "MLSensor-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "parent_process_id": "31549696836", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5702, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxFP57l6_WkTe_cHdH-SAa4gAATiHWaqcPUO7aObRTDrMrKI-OIVYCVgrLleMgiKP5LjLwXA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764720623", + "process_id": "31552203028", + "process_start_time": "1764720622", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "timestamp": "2025-12-03T00:10:22.965Z", + "tree_id": "17188296914", + "tree_root": "31552203028", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:29.021306969Z", + "user_id": "S-1-5-18", + "user_name": "SYSTEM", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:10:22", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:11:29.021306969Z", + "user_name": "SYSTEM", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Sensor-based ML", + "technique_id": "CST0007", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17188296914", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T00:07:51Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:10:52Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "terabox.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31552203028-5702-17381392", + "local_prevalence": "unique", + "local_process_id": 7320, + "logon_domain": "NT AUTHORITY", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5702: This file meets the machine learning-based on-sensor AV protection's high confidence threshold for malicious files.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 31552203028, + "process_start_time": 1764720622, + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "tree_id": 17188296914, + "tree_root": 31552203028, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31552203028", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "644088a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "alleged_filetype": "exe", + "parent_process_id": 31549696836, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\System32\\terabox.exe \"pr::d\" \"slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\\Windows\\System32\\wsqsp.exe /sys:1 /prun:C:\\Windows\\System32\\wsqmanager.exe\" \"quit\"", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\cmd.exe", + "local_process_id": "5620", + "md5": "911d039e71583a07320b32bde22f8e22", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31549696836", + "process_id": "31549696836", + "sha256": "bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527", + "timestamp": "2025-12-03T00:10:26Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "9068", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31472032119", + "process_id": "31472032119", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "2025-12-02T23:46:55Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "SYSTEM" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31553095157" + ], + "process_end_time": 1764720623, + "incident": { + "created": "2025-12-02T23:46:52Z", + "end": "2025-12-03T00:10:25Z", + "id": "inc:52917f37b9d44993b4d0f0d9024236a1:0676a63c88f8435ab63416de28f28daf", + "score": "121.09889272273568", + "start": "2025-12-02T23:46:51Z" + }, + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "md5": "2704209c0eaf19738bd2a11446f70d78", + "sha256": "0c6d0102fe8894c83035cd8adffb78aa73d692c3f72b51f13a9089c44447a009", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\terabox.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:14", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:3:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "PrewittSensorDetect-Low", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "confidence": 30, + "context_timestamp": "Dec 02 2025 18:58:07", + "crawled_timestamp": "2025-12-03T00:59:10.111154898Z", + "created_timestamp": "2025-12-03T00:59:10.111145891Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-Low", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5706, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "occurred": "Dec 02 2025 18:59:10", + "pattern_id": 5706, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxeRdu7jVDVR8JGxBv5yKGsAAATiHm1YIcjIHxI809wUsaJq-Av9CHS0foHLJnuzeQylBw4Q==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "confidence": 30, + "context_timestamp": "2025-12-03T00:58:07.805Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "crawled_timestamp": "2025-12-03T00:59:10.111154898Z", + "created_timestamp": "2025-12-03T00:59:10.111145891Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-Low", + "email_sent": true, + "event_correlation_id": "05a97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "local_prevalence": "low", + "local_process_id": "4156", + "logon_domain": "WORKGROUP", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "mitre_attack": [ + { + "pattern_id": 5706, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-Low", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23286303500", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5706, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxeRdu7jVDVR8JGxBv5yKGsAAATiHm1YIcjIHxI809wUsaJq-Av9CHS0foHLJnuzeQylBw4Q==", + "priority_details": { + "raw_value": 48 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 48, + "process_end_time": "1764723490", + "process_id": "23287195737", + "process_start_time": "1764723487", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:58:08.27Z", + "tree_id": "4297103684", + "tree_root": "23287195737", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.534021878Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:08", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.534021878Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\"", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5706-3815696", + "local_prevalence": "low", + "local_process_id": 4156, + "logon_domain": "WORKGROUP", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 48 + }, + "priority_explanation": [ + "[MOD] The severity of the detection", + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred" + ], + "priority_value": 48, + "process_id": 23287195737, + "process_start_time": 1764723487, + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "tree_id": 4297103684, + "tree_root": 23287195737, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "05a97296-decf-f011-9bde-7c1e525c4876", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "alleged_filetype": "exe", + "parent_process_id": 23286303500, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "process_end_time": 1764723490, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:06:00", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "MgsxQlpOz8IqaWlPnnhuuQ==:1:61:140", + "_insert_time": "Dec 02 2025 19:06:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "confidence": 70, + "context_timestamp": "Dec 02 2025 19:04:56", + "crawled_timestamp": "2025-12-03T01:05:58.873815862Z", + "created_timestamp": "2025-12-03T01:05:58.873810924Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "occurred": "Dec 02 2025 19:05:58", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGHpQNFafwhk48-PvLNzWSwAATiEgAdKJJzXZ9sv9hx6AXSxXwqZM56_W2DAJK4Aun2LDcQ==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23317404059" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "confidence": 70, + "context_timestamp": "2025-12-03T01:04:56.956Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "crawled_timestamp": "2025-12-03T01:05:58.873815862Z", + "created_timestamp": "2025-12-03T01:05:58.873810924Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T01:03:11Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "4bb07296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10196", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23313988824", + "process_id": "23313988824", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "local_prevalence": "unique", + "local_process_id": "8792", + "logon_domain": "WORKGROUP", + "md5": "418fd5979c6ccb2352408743032ef57b", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "local_process_id": "8568", + "md5": "418fd5979c6ccb2352408743032ef57b", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332", + "process_id": "23315384332", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23315384332", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxGHpQNFafwhk48-PvLNzWSwAATiEgAdKJJzXZ9sv9hx6AXSxXwqZM56_W2DAJK4Aun2LDcQ==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 99, + "process_id": "23316286189", + "process_start_time": "1764723896", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T01:04:57.475Z", + "tree_id": "4298474062", + "tree_root": "23289889682", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:06:00.143779844Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 19:04:57", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:06:00.143779844Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T01:03:11Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189-5708-4178192", + "local_prevalence": "unique", + "local_process_id": 8792, + "logon_domain": "WORKGROUP", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 99, + "process_id": 23316286189, + "process_start_time": 1764723896, + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "tree_id": 4298474062, + "tree_root": 23289889682, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "4bb07296-decf-f011-9bde-7c1e525c4876", + "md5": "418fd5979c6ccb2352408743032ef57b", + "alleged_filetype": "exe", + "parent_process_id": 23315384332, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "local_process_id": "8568", + "md5": "418fd5979c6ccb2352408743032ef57b", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332", + "process_id": "23315384332", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10196", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23313988824", + "process_id": "23313988824", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23317404059" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:05:59", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "MgsxQlpOz8IqaWlPnnhuuQ==:0:61:140", + "_insert_time": "Dec 02 2025 19:06:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "confidence": 70, + "context_timestamp": "Dec 02 2025 19:04:56", + "crawled_timestamp": "2025-12-03T01:05:58.866239775Z", + "created_timestamp": "2025-12-03T01:05:58.866225188Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "occurred": "Dec 02 2025 19:05:58", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx0isCwJvNYTvr10UMA-i1YQAATiGkbkqWjmPht51lGxOhV8E5359f_Kh62O-UG2jcO1wwew==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "confidence": 70, + "context_timestamp": "2025-12-03T01:04:56.877Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "crawled_timestamp": "2025-12-03T01:05:58.866239775Z", + "created_timestamp": "2025-12-03T01:05:58.866225188Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T01:03:11Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "2bb07296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "4856", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "process_id": "23289889682", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-03T00:58:23Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "local_prevalence": "unique", + "local_process_id": "8568", + "logon_domain": "WORKGROUP", + "md5": "418fd5979c6ccb2352408743032ef57b", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10196", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23313988824", + "process_id": "23313988824", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23313988824", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx0isCwJvNYTvr10UMA-i1YQAATiGkbkqWjmPht51lGxOhV8E5359f_Kh62O-UG2jcO1wwew==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764723897", + "process_id": "23315384332", + "process_start_time": "1764723896", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T01:04:57.474Z", + "tree_id": "4298474062", + "tree_root": "23289889682", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:05:59.699034356Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 19:04:57", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:05:59.699034356Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T01:03:11Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332-5708-4171280", + "local_prevalence": "unique", + "local_process_id": 8568, + "logon_domain": "WORKGROUP", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 23315384332, + "process_start_time": 1764723896, + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "tree_id": 4298474062, + "tree_root": 23289889682, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23315384332", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "2bb07296-decf-f011-9bde-7c1e525c4876", + "md5": "418fd5979c6ccb2352408743032ef57b", + "alleged_filetype": "exe", + "parent_process_id": 23313988824, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "10196", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23313988824", + "process_id": "23313988824", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T01:04:59Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "4856", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "process_id": "23289889682", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-03T00:58:23Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23316286189" + ], + "process_end_time": 1764723897, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:00:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "TCsmK+UTrubxgoDM0QJiJw==:2:61:140", + "_insert_time": "Dec 02 2025 19:00:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:59:33", + "crawled_timestamp": "2025-12-03T01:00:35.765143571Z", + "created_timestamp": "2025-12-03T01:00:35.76513034Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "occurred": "Dec 02 2025 19:00:35", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxJZJjx-De2YJ1JzWD_SGjbwAATiGdWF6e12dWBFsHtHLr5XCatX3oK7isAwuQwkTfaF-Ozg==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "confidence": 70, + "context_timestamp": "2025-12-03T00:59:33.772Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "crawled_timestamp": "2025-12-03T01:00:35.765143571Z", + "created_timestamp": "2025-12-03T01:00:35.76513034Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "78aa7296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "4856", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "process_id": "23289889682", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-03T00:58:23Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "local_prevalence": "unique", + "local_process_id": "10592", + "logon_domain": "WORKGROUP", + "md5": "418fd5979c6ccb2352408743032ef57b", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23292959109", + "process_id": "23292959109", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T00:59:33Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23292959109", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxJZJjx-De2YJ1JzWD_SGjbwAATiGdWF6e12dWBFsHtHLr5XCatX3oK7isAwuQwkTfaF-Ozg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_end_time": "1764723573", + "process_id": "23294619529", + "process_start_time": "1764723573", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:59:34.059Z", + "tree_id": "4298474062", + "tree_root": "23289889682", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.382903986Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:59:34", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.382903986Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529-5708-3956240", + "local_prevalence": "unique", + "local_process_id": 10592, + "logon_domain": "WORKGROUP", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: cmd.exe", + "[MOD] The grandparent process was identified as: svchost.exe" + ], + "priority_value": 99, + "process_id": 23294619529, + "process_start_time": 1764723573, + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "tree_id": 4298474062, + "tree_root": 23289889682, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "78aa7296-decf-f011-9bde-7c1e525c4876", + "md5": "418fd5979c6ccb2352408743032ef57b", + "alleged_filetype": "exe", + "parent_process_id": 23292959109, + "sha1": 0, + "parent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23292959109", + "process_id": "23292959109", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T00:59:33Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\System32\\svchost.exe -k WinSysRestoreGroup -s WinResSvc", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe", + "local_process_id": "4856", + "md5": "b7f884c1b74a263f746ee12a5f7c9f6a", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23289889682", + "process_id": "23289889682", + "sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88", + "timestamp": "2025-12-03T00:58:23Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370" + ], + "process_end_time": 1764723573, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:00:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "TCsmK+UTrubxgoDM0QJiJw==:1:61:140", + "_insert_time": "Dec 02 2025 19:00:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:59:33", + "crawled_timestamp": "2025-12-03T01:00:35.738219755Z", + "created_timestamp": "2025-12-03T01:00:35.738213668Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "occurred": "Dec 02 2025 19:00:35", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxAbP3FAdxUivBUKo83ke13gAATiHbEZuDBlRRvcX0A-dq7MwQjRrWxiT14pv9quMmSO-t1g==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23296804096" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "confidence": 70, + "context_timestamp": "2025-12-03T00:59:33.865Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "crawled_timestamp": "2025-12-03T01:00:35.738219755Z", + "created_timestamp": "2025-12-03T01:00:35.738213668Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "99aa7296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23292959109", + "process_id": "23292959109", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T00:59:33Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "local_prevalence": "unique", + "local_process_id": "500", + "logon_domain": "WORKGROUP", + "md5": "418fd5979c6ccb2352408743032ef57b", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "local_process_id": "10592", + "md5": "418fd5979c6ccb2352408743032ef57b", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529", + "process_id": "23294619529", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "timestamp": "2025-12-03T00:59:36Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23294619529", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxAbP3FAdxUivBUKo83ke13gAATiHbEZuDBlRRvcX0A-dq7MwQjRrWxiT14pv9quMmSO-t1g==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 99, + "process_id": "23295979370", + "process_start_time": "1764723573", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:59:34.638Z", + "tree_id": "4298474062", + "tree_root": "23289889682", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.371918925Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:59:34", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.371918925Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4298474062", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370-5708-3963664", + "local_prevalence": "unique", + "local_process_id": 500, + "logon_domain": "WORKGROUP", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The grandparent process was identified as: cmd.exe" + ], + "priority_value": 99, + "process_id": 23295979370, + "process_start_time": 1764723573, + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "tree_id": 4298474062, + "tree_root": 23289889682, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23295979370", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "99aa7296-decf-f011-9bde-7c1e525c4876", + "md5": "418fd5979c6ccb2352408743032ef57b", + "alleged_filetype": "exe", + "parent_process_id": 23294619529, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "local_process_id": "10592", + "md5": "418fd5979c6ccb2352408743032ef57b", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23294619529", + "process_id": "23294619529", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "timestamp": "2025-12-03T00:59:36Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "cmd.exe /c C:\\Windows\\Temp\\wingtsvcupdt.exe -r", + "filename": "cmd.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe", + "local_process_id": "8248", + "md5": "8a2122e8162dbef04694b9c3e0b6cdee", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23292959109", + "process_id": "23292959109", + "sha256": "b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450", + "timestamp": "2025-12-03T00:59:33Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23296804096" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 12:01:09", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "yT5wYShnE3RxtfMuxLU+yg==:0:61:140", + "_insert_time": "Dec 03 2025 12:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "confidence": 70, + "context_timestamp": "Dec 03 2025 12:00:00", + "crawled_timestamp": "2025-12-03T18:01:04.791501857Z", + "created_timestamp": "2025-12-03T18:01:04.791492941Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "occurred": "Dec 03 2025 12:01:04", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxD19UbzuQZ2vfJQWfSfzAXAAATiH04bj7v1mYK0gj8AE6txOx2wDzer_XJAEyOEXTCvooGg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32210998498" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "confidence": 70, + "context_timestamp": "2025-12-03T18:00:00.954Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "crawled_timestamp": "2025-12-03T18:01:04.791501857Z", + "created_timestamp": "2025-12-03T18:01:04.791492941Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T17:38:01Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T17:56:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "f8ad1afe-6fd0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "7472", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxD19UbzuQZ2vfJQWfSfzAXAAATiH04bj7v1mYK0gj8AE6txOx2wDzer_XJAEyOEXTCvooGg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764784801", + "process_id": "32209142763", + "process_start_time": "1764784800", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T18:00:01.229Z", + "tree_id": "17201164696", + "tree_root": "32209142763", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32209142763", + "type": "ldt", + "updated_timestamp": "2025-12-03T18:01:09.341036287Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 12:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T18:01:09.341036287Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17201164696", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T17:38:01Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T17:56:11Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32209142763-5708-60227856", + "local_prevalence": "low", + "local_process_id": 7472, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 32209142763, + "process_start_time": 1764784800, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17201164696, + "tree_root": 32209142763, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32209142763", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "f8ad1afe-6fd0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32210998498" + ], + "process_end_time": 1764784801, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 00:01:04", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "hIYIi7t8/K7UPaBnYAcpPA==:1:61:140", + "_insert_time": "Dec 03 2025 00:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "confidence": 70, + "context_timestamp": "Dec 03 2025 00:00:00", + "crawled_timestamp": "2025-12-03T06:01:02.929811895Z", + "created_timestamp": "2025-12-03T06:01:02.929806623Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "occurred": "Dec 03 2025 00:01:02", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx3bq5n8mLLi7KFAOanfYprQAATiH4zwIuBJgH8P5RFFYQTOU-jo70LP87Bg9HJ_DSj8a9eg==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31814444001" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "confidence": 70, + "context_timestamp": "2025-12-03T06:00:00.623Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "crawled_timestamp": "2025-12-03T06:01:02.929811895Z", + "created_timestamp": "2025-12-03T06:01:02.929806623Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T05:45:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T05:56:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "63c681de-09d0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "7528", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx3bq5n8mLLi7KFAOanfYprQAATiH4zwIuBJgH8P5RFFYQTOU-jo70LP87Bg9HJ_DSj8a9eg==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764741600", + "process_id": "31813363062", + "process_start_time": "1764741600", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T06:00:00.959Z", + "tree_id": "17199237263", + "tree_root": "31813363062", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31813363062", + "type": "ldt", + "updated_timestamp": "2025-12-03T06:01:04.423618335Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 00:00:00", + "type": "ldt", + "updated_timestamp": "2025-12-03T06:01:04.423618335Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17199237263", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T05:45:57Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T05:56:15Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31813363062-5708-31829520", + "local_prevalence": "low", + "local_process_id": 7528, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 31813363062, + "process_start_time": 1764741600, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17199237263, + "tree_root": 31813363062, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31813363062", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "63c681de-09d0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31814444001" + ], + "process_end_time": 1764741600, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:01:05", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "/tsm9hXv3uqu2NHuaujlWg==:0:61:140", + "_insert_time": "Dec 02 2025 18:01:47", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:00:01", + "crawled_timestamp": "2025-12-03T00:01:04.325936569Z", + "created_timestamp": "2025-12-03T00:01:04.325929408Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "occurred": "Dec 02 2025 18:01:04", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxZklFpunF1IuWI5RC5bExEgAATiFw6MAxTLSaSwajvFLKxKHp4NmMa-n-Grmgs2J-ysWqXA==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31534286955" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "confidence": 70, + "context_timestamp": "2025-12-03T00:00:01.194Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "crawled_timestamp": "2025-12-03T00:01:04.325936569Z", + "created_timestamp": "2025-12-03T00:01:04.325929408Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "e33c88a8-d8cf-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "7152", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxZklFpunF1IuWI5RC5bExEgAATiFw6MAxTLSaSwajvFLKxKHp4NmMa-n-Grmgs2J-ysWqXA==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764720001", + "process_id": "31533573281", + "process_start_time": "1764720001", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:00:01.758Z", + "tree_id": "17186097233", + "tree_root": "31533573281", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31533573281", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:01:05.946438513Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:01:05.946438513Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17186097233", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-02T23:31:54Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-02T23:56:34Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:31533573281-5708-17060880", + "local_prevalence": "low", + "local_process_id": 7152, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 31533573281, + "process_start_time": 1764720001, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17186097233, + "tree_root": 31533573281, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:31533573281", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "e33c88a8-d8cf-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:31534286955" + ], + "process_end_time": 1764720001, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 03 2025 06:01:08", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "uZr1+UZgjDOLE9T5EPRoyQ==:0:61:140", + "_insert_time": "Dec 03 2025 06:01:46", + "_name": "PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "confidence": 70, + "context_timestamp": "Dec 03 2025 06:00:01", + "crawled_timestamp": "2025-12-03T12:01:06.504031661Z", + "created_timestamp": "2025-12-03T12:01:06.504021651Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "display_name": "PrewittSensorDetect-High", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "occurred": "Dec 03 2025 06:01:06", + "pattern_id": 5708, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxRYR47XTfQLuS6KrqxGBjXwAATiHcCz8SD2qRGH59IhayHWUa9yqwgWxQ4heTSeofPHwf4A==", + "product": "epp", + "rawJSON": { + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "alleged_filetype": "exe", + "associated_files": [], + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32005807947" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "confidence": 70, + "context_timestamp": "2025-12-03T12:00:01.000Z", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "crawled_timestamp": "2025-12-03T12:01:06.504031661Z", + "created_timestamp": "2025-12-03T12:01:06.504021651Z", + "data_domains": [ + "Endpoint" + ], + "description": "This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T11:57:59Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T11:59:04Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "PrewittSensorDetect-High", + "email_sent": true, + "event_correlation_id": "188ec173-3ad0-f011-8baa-7c1e5268cb30", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "host_names": [ + "bannik" + ], + "id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "local_prevalence": "low", + "local_process_id": "3260", + "logon_domain": "SKT", + "md5": "55476797db948e6f8581ed432da5d534", + "mitre_attack": [ + { + "pattern_id": 5708, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "parent_process_id": "17226813463", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5708, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxRYR47XTfQLuS6KrqxGBjXwAATiHcCz8SD2qRGH59IhayHWUa9yqwgWxQ4heTSeofPHwf4A==", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_end_time": "1764763201", + "process_id": "32004767323", + "process_start_time": "1764763200", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "show_in_ui": true, + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T12:00:01.211Z", + "tree_id": "17200638911", + "tree_root": "32004767323", + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32004767323", + "type": "ldt", + "updated_timestamp": "2025-12-03T12:01:08.13011744Z", + "user_id": "S-1-5-18", + "user_name": "bannik$", + "user_principal": "bannik$@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "bannik" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 03 2025 06:00:01", + "type": "ldt", + "updated_timestamp": "2025-12-03T12:01:08.13011744Z", + "user_name": "bannik$", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\System32\\wmimetricsq.exe\"", + "control_graph_id": "ctg:52917f37b9d44993b4d0f0d9024236a1:17200638911", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:07:41.719Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "American Megatrends Inc.", + "bios_version": "090008 ", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "52917f37b9d44993b4d0f0d9024236a1", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T15:16:44Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "active_directory_dn_display": [ + "Domain Controllers" + ], + "domain": "skt.local" + }, + "hostname": "bannik", + "instance_id": "52887a5d-76f6-4729-ba66-c82c64c812f0", + "last_seen": "2025-12-03T11:57:59Z", + "local_ip": "10.20.10.9", + "mac_address": "7c-1e-52-68-cb-30", + "machine_domain": "skt.local", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T11:59:04Z", + "os_version": "Windows Server 2019", + "ou": [ + "Domain Controllers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "2", + "product_type_desc": "Domain Controller", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wmimetricsq.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "global_prevalence": "low", + "indicator_id": "ind:52917f37b9d44993b4d0f0d9024236a1:32004767323-5708-46115088", + "local_prevalence": "low", + "local_process_id": 3260, + "logon_domain": "SKT", + "pattern_disposition": 2304, + "pattern_disposition_description": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": true, + "prevention_provisioning_enabled": false, + "process_blocked": true, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 99 + }, + "priority_explanation": [ + "[MOD] The disposition for the detection: attempted process block, but no prevention occurred", + "[MOD] The detection is based on Pattern 5708: This file meets the File Analysis ML algorithm's high-confidence threshold for malware.", + "[MOD] The parent process was identified as: svchost.exe", + "[MOD] The grandparent process was identified as: services.exe" + ], + "priority_value": 99, + "process_id": 32004767323, + "process_start_time": 1764763200, + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "tree_id": 17200638911, + "tree_root": 32004767323, + "triggering_process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:32004767323", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "188ec173-3ad0-f011-8baa-7c1e5268cb30", + "md5": "55476797db948e6f8581ed432da5d534", + "alleged_filetype": "exe", + "parent_process_id": 17226813463, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", + "filename": "svchost.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe", + "local_process_id": "2288", + "md5": "4dd18f001ac31d5f48f50f99e4aa1761", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17226813463", + "process_id": "17226813463", + "sha256": "2b105fb153b1bcd619b95028612b3a93c60b953eef6837d3bb0099e4207aaf6b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe", + "local_process_id": "932", + "md5": "0d464c4bf9d85412d6ef15eea3a91e72", + "process_graph_id": "pid:52917f37b9d44993b4d0f0d9024236a1:17191348927", + "process_id": "17191348927", + "sha256": "243e370c279b3b8062e5dd81d8df539705397cc68472168251ed54134b13d70b", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:52917f37b9d44993b4d0f0d9024236a1:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "bannik$" + }, + "user_principal": "bannik$@skt.local", + "child_process_ids": [ + "pid:52917f37b9d44993b4d0f0d9024236a1:32005807947" + ], + "process_end_time": 1764763201, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "md5": "55476797db948e6f8581ed432da5d534", + "sha256": "901c049c69b87de2c24637e30a874d4fa53d8ee45c318c49e7bb417d1920977c", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume2\\Windows\\System32\\wmimetricsq.exe", + "ioc_source": "library_load", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:14", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:4:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:58:08", + "crawled_timestamp": "2025-12-03T00:59:10.734522718Z", + "created_timestamp": "2025-12-03T00:59:10.734485911Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "occurred": "Dec 02 2025 18:59:10", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxRC8nVsaLgHqOTNQz4_X02AAATiEIWx9MNK1sjC6DfJEkzzns6MhTCP1hZU5vejpqnOsz6Q==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "confidence": 70, + "context_timestamp": "2025-12-03T00:58:08.968Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "crawled_timestamp": "2025-12-03T00:59:10.734522718Z", + "created_timestamp": "2025-12-03T00:59:10.734485911Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "aba97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "local_prevalence": "low", + "local_process_id": "4156", + "logon_domain": "WORKGROUP", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23286303500", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxRC8nVsaLgHqOTNQz4_X02AAATiEIWx9MNK1sjC6DfJEkzzns6MhTCP1hZU5vejpqnOsz6Q==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_end_time": "1764723490", + "process_id": "23287195737", + "process_start_time": "1764723487", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:58:09.248Z", + "tree_id": "4297103684", + "tree_root": "23287195737", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.17002868Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:14.17002868Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\"", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3853584", + "local_prevalence": "low", + "local_process_id": 4156, + "logon_domain": "WORKGROUP", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 23287195737, + "process_start_time": 1764723487, + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "tree_id": 4297103684, + "tree_root": 23287195737, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "aba97296-decf-f011-9bde-7c1e525c4876", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "alleged_filetype": "exe", + "parent_process_id": 23286303500, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "process_end_time": 1764723490, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "md5": "de9e37104fed5cbbd030de112c2d8b57", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\mressvc.dll", + "sha256": "a73996f6f5da33591aa57593bc3a8761fcc0ff94d0143fec31920d3ec4a3e33f" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:00:37", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "TCsmK+UTrubxgoDM0QJiJw==:0:61:140", + "_insert_time": "Dec 02 2025 19:00:46", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:59:32", + "crawled_timestamp": "2025-12-03T01:00:34.762711378Z", + "created_timestamp": "2025-12-03T01:00:34.762703629Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "occurred": "Dec 02 2025 19:00:34", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxPZ17A1RvdMu0gpBhPuhgsAAATiGmVnW9u7x4GTYN7jrdc64ypLM-VYcODouana1S-dUgMA==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb" + } + ], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22929367612", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932460850", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932324740", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22940433508", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22938404596", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22934372369", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22937032160", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22939694495", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22941645755", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22942707638", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22947412512", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22946841105", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22945527344", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22943091356", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22954913349", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22951712169", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22953057293", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22960213473", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22961880068", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22964833839", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22963299314", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22966838889", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22977033969", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22981524096", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22988144656", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22990127295", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22991313301", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22997718250", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23002410332", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23004256385", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23005494925", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23009815108", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23015297716", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23037429480", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039038761", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23041106103", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23042157728", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039956193", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23036322375", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043080457", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043723110", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23046395010", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23050179075", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23052907227", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23054315794", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23056456253", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23058470623", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23067428383", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23074435654", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23076869641" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "confidence": 70, + "context_timestamp": "2025-12-03T00:59:32.060Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "crawled_timestamp": "2025-12-03T01:00:34.762711378Z", + "created_timestamp": "2025-12-03T01:00:34.762703629Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "47aa7296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "files_accessed": [ + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723491" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\0511", + "timestamp": "1764723572" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723592" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723612" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723632" + } + ], + "files_written": [ + { + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764723572" + }, + { + "filename": "Microsoft Edge.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", + "timestamp": "1764719771" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_326536210", + "timestamp": "1764720132" + }, + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_572621730", + "timestamp": "1764720531" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_881493112", + "timestamp": "1764720788" + } + ], + "global_prevalence": "common", + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "4176", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22861421361", + "process_id": "22861421361", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-03T00:58:11Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "local_prevalence": "common", + "local_process_id": "5868", + "logon_domain": "SKT", + "md5": "418fd5979c6ccb2352408743032ef57b", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "network_accesses": [ + { + "access_timestamp": "1764723491", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764723492", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52424", + "protocol": "TCP", + "remote_address": "91.52.62.203", + "remote_port": "80" + }, + { + "access_timestamp": "1764723491", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:745b:af14:1d46:a739", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10612", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22927701416", + "process_id": "22927701416", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-03T00:58:12Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "parent_process_id": "22927701416", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxPZ17A1RvdMu0gpBhPuhgsAAATiGmVnW9u7x4GTYN7jrdc64ypLM-VYcODouana1S-dUgMA==", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: msedge.exe", + "[MOD] The parent process was identified as: msedge.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 94, + "process_id": "22928534850", + "process_start_time": "1764719753", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:59:32.726Z", + "tree_id": "4300283680", + "tree_root": "22928534850", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.285056144Z", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa", + "user_principal": "Adalwolfa@skt.local", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:59:32", + "type": "ldt", + "updated_timestamp": "2025-12-03T01:00:37.285056144Z", + "user_name": "adalwolfa", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --edge-skip-compat-layer-relaunch", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4300283680", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "global_prevalence": "common", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850-5734-3936272", + "local_prevalence": "common", + "local_process_id": 5868, + "logon_domain": "SKT", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 94 + }, + "priority_explanation": [ + "[MOD] The detection is based on Pattern 5734: A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "[MOD] The process is: msedge.exe", + "[MOD] The parent process was identified as: msedge.exe", + "[MOD] The grandparent process was identified as: explorer.exe" + ], + "priority_value": 94, + "process_id": 22928534850, + "process_start_time": 1764719753, + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "tree_id": 4300283680, + "tree_root": 22928534850, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22928534850", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "email_sent": "true", + "event_correlation_id": "47aa7296-decf-f011-9bde-7c1e525c4876", + "md5": "418fd5979c6ccb2352408743032ef57b", + "alleged_filetype": "exe", + "parent_process_id": 22927701416, + "sha1": 0, + "parent_details": { + "cmdline": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" ", + "filename": "msedge.exe", + "filepath": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "local_process_id": "10612", + "md5": "cc88e8cbc96e0183f15a240ec2e6d7bb", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22927701416", + "process_id": "22927701416", + "sha256": "c089768e72071aca205e6b77c0538f58a3896ce5b0f65ba9bd38cdae263d8a03", + "timestamp": "2025-12-03T00:58:12Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\explorer.exe", + "local_process_id": "4176", + "md5": "e810428cb38ec7c960c98bf36f9a240d", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22861421361", + "process_id": "22861421361", + "sha256": "4ef2a8be5ef3e6c6f55a5aa195ced4d08f7bc22de3555c5858d752c72617cb40", + "timestamp": "2025-12-03T00:58:11Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-21-4168186624-547105363-3065826963-1112", + "user_id": "S-1-5-21-4168186624-547105363-3065826963-1112", + "user_name": "adalwolfa" + }, + "user_principal": "Adalwolfa@skt.local", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22929367612", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932460850", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22932324740", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22940433508", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22938404596", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22934372369", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22937032160", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22939694495", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22941645755", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22942707638", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22947412512", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22946841105", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22945527344", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22943091356", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22954913349", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22951712169", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22953057293", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22960213473", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22961880068", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22964833839", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22963299314", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22966838889", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22977033969", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22981524096", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22988144656", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22990127295", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22991313301", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:22997718250", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23002410332", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23004256385", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23005494925", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23009815108", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23015297716", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23037429480", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039038761", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23041106103", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23042157728", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23039956193", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23036322375", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043080457", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23043723110", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23046395010", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23050179075", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23052907227", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23054315794", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23056456253", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23058470623", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23067428383", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23074435654", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23076869641" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "md5": "418fd5979c6ccb2352408743032ef57b", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "wingtsvcupdt.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp", + "timestamp": "1764723572" + }, + { + "filename": "Microsoft Edge.lnk", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", + "timestamp": "1764719771" + }, + { + "filename": "domain_actions.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_326536210", + "timestamp": "1764720132" + }, + { + "filename": "well_known_domains.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_572621730", + "timestamp": "1764720531" + }, + { + "filename": "Microsoft.CognitiveServices.Speech.core.dll", + "filepath": "\\Device\\HarddiskVolume4\\Users\\adalwolfa\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping5868_881493112", + "timestamp": "1764720788" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764723491", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "224.0.0.251", + "remote_port": "5353" + }, + { + "access_timestamp": "1764723492", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52424", + "protocol": "TCP", + "remote_address": "91.52.62.203", + "remote_port": "80" + }, + { + "access_timestamp": "1764723491", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": true, + "local_address": "fe80:0:0:0:745b:af14:1d46:a739", + "local_port": "5353", + "protocol": "UDP", + "remote_address": "ff02:0:0:0:0:0:0:fb", + "remote_port": "5353" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\Temp\\wingtsvcupdt.exe", + "sha256": "9f950697b9b91dcab6cbed2438a4c24da228f1ecb4cbad3e0a265c67f31a33bb" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": [ + { + "filename": "setuplst.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723491" + }, + { + "filename": "workdict.xml", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\0511", + "timestamp": "1764723572" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723592" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723612" + }, + { + "filename": "traverse.gif", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\2028", + "timestamp": "1764723632" + } + ], + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:16", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:5:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "OnWrite-PrewittSensorDetect-High", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "confidence": 70, + "context_timestamp": "Dec 02 2025 18:58:09", + "crawled_timestamp": "2025-12-03T00:59:10.738773071Z", + "created_timestamp": "2025-12-03T00:59:10.738765735Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "display_name": "Machine Learning Identified High Confidence Malicious File", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "occurred": "Dec 02 2025 18:59:10", + "pattern_id": 5734, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-HnSsbM4zv3W0wmZFwUmLQAATiH4qbCM2sUG1LccL2V1I6cXZA3WsVLxmWqI_OyEazLueA==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "alleged_filetype": "exe", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\" ", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "confidence": 70, + "context_timestamp": "2025-12-03T00:58:09.211Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "crawled_timestamp": "2025-12-03T00:59:10.738773071Z", + "created_timestamp": "2025-12-03T00:59:10.738765735Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the cloud-based machine learning model high confidence threshold for malicious files. Detection is based on a high degree of entropy, packing, anti-malware evasion, or other similarity to known malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "Machine Learning Identified High Confidence Malicious File", + "email_sent": true, + "event_correlation_id": "b8a97296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + } + ], + "global_prevalence": "low", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "md5": "e23fcf68ca9c53dd43e89d19acb1f395", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "local_prevalence": "low", + "local_process_id": "4156", + "logon_domain": "WORKGROUP", + "md5": "e23fcf68ca9c53dd43e89d19acb1f395", + "mitre_attack": [ + { + "pattern_id": 5734, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-High", + "objective": "Falcon Detection Method", + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "parent_process_id": "23286303500", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5734, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgx-HnSsbM4zv3W0wmZFwUmLQAATiH4qbCM2sUG1LccL2V1I6cXZA3WsVLxmWqI_OyEazLueA==", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_end_time": "1764723490", + "process_id": "23287195737", + "process_start_time": "1764723487", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:58:09.896Z", + "tree_id": "4297103684", + "tree_root": "23287195737", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:16.595548547Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 70, + "severity_name": "High", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:09", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:16.595548547Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "\"C:\\Windows\\wsqmanager.exe\"", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4297103684", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "global_prevalence": "low", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737-5734-3865104", + "local_prevalence": "low", + "local_process_id": 4156, + "logon_domain": "WORKGROUP", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 69 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 69, + "process_id": 23287195737, + "process_start_time": 1764723487, + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "tree_id": 4297103684, + "tree_root": 23287195737, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287195737", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "b8a97296-decf-f011-9bde-7c1e525c4876", + "md5": "e23fcf68ca9c53dd43e89d19acb1f395", + "alleged_filetype": "exe", + "parent_process_id": 23286303500, + "sha1": 0, + "parent_details": { + "cmdline": "C:\\Windows\\PSEXESVC.exe", + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\PSEXESVC.exe", + "local_process_id": "6464", + "md5": "44118d8fb41634b3d8d8b1c6fdf9c421", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23286303500", + "process_id": "23286303500", + "sha256": "cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e", + "timestamp": "2025-12-03T00:58:21Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\services.exe", + "filename": "services.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe", + "local_process_id": "732", + "md5": "d8e577bf078c45954f4531885478d5a9", + "process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:12557689", + "process_id": "12557689", + "sha256": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674", + "timestamp": "1601-01-01T00:00:00.000Z", + "user_graph_id": "uid:6440ce0fd5114f8e8e6cdcf0ebc5326c:S-1-5-18", + "user_id": "S-1-5-18", + "user_name": "khabibulin$" + }, + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:23287936371" + ], + "process_end_time": 1764723490, + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "md5": "e23fcf68ca9c53dd43e89d19acb1f395", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "msxhlp.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "MSSVCCFG.dll", + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT", + "timestamp": "1764723488" + }, + { + "filename": "mressvc.dll", + "filepath": "\\Device\\HarddiskVolume4\\Windows\\System32", + "timestamp": "1764723488" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Program Files\\Windows NT\\msxhlp.dll", + "sha256": "e3226e794d7a7001621af8c1ea729f843470f5734385f8cab0932d97c8d49fd4" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:59:06", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "NOvkvADuG/cp0oPCyhmxBg==:0:61:140", + "_insert_time": "Dec 02 2025 18:59:46", + "_name": "OnWrite-PrewittSensorDetect-Low", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4295124595", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "confidence": 30, + "context_timestamp": "Dec 02 2025 18:58:00", + "crawled_timestamp": "2025-12-03T00:59:02.091536793Z", + "created_timestamp": "2025-12-03T00:59:02.091517096Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "display_name": "OnWrite-PrewittSensorDetect-Low", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "incident_type": "detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "Detection ID: f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "occurred": "Dec 02 2025 18:59:02", + "pattern_id": 5743, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkRKuz5yAVx1arYzz8F6EoQAATiFY2__b200KgwYoQJE9K0Q2KZ4e2_mDB--RCpG_pFpOcA==", + "product": "epp", + "rawJSON": { + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "aggregate_id": "aggind:6440ce0fd5114f8e8e6cdcf0ebc5326c:4295124595", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc" + } + ], + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:160082035", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:131798527" + ], + "cid": "f3ffbf3f853a47e380436720053cc831", + "cloud_indicator": "false", + "cmdline": "System", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "confidence": 30, + "context_timestamp": "2025-12-03T00:58:00.320Z", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4295124595", + "crawled_timestamp": "2025-12-03T00:59:02.091536793Z", + "created_timestamp": "2025-12-03T00:59:02.091517096Z", + "data_domains": [ + "Endpoint" + ], + "description": "A file written to the file-system meets the File Analysis ML algorithm's low-confidence threshold for malware.", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "display_name": "OnWrite-PrewittSensorDetect-Low", + "email_sent": true, + "event_correlation_id": "cba87296-decf-f011-9bde-7c1e525c4876", + "falcon_host_link": "https://falcon.crowdstrike.com/activity-v2/detections/f3ffbf3f853a47e380436720053cc831:ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "filename": "System", + "filepath": "System", + "files_written": [ + { + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723480" + }, + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723487" + }, + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723172" + } + ], + "global_prevalence": "common", + "host_names": [ + "khabibulin" + ], + "id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "local_prevalence": "common", + "local_process_id": "4", + "logon_domain": "WORKGROUP", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "mitre_attack": [ + { + "pattern_id": 5743, + "tactic_id": "CSTA0004", + "technique_id": "CST0008", + "tactic": "Machine Learning", + "technique": "Cloud-based ML" + } + ], + "name": "OnWrite-PrewittSensorDetect-Low", + "network_accesses": [ + { + "access_timestamp": "1764176217", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52689", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764176751", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52916", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764186342", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56900", + "protocol": "TCP", + "remote_address": "54.67.108.17", + "remote_port": "443" + }, + { + "access_timestamp": "1764186414", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56933", + "protocol": "TCP", + "remote_address": "54.183.135.80", + "remote_port": "443" + }, + { + "access_timestamp": "1764262619", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56047", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764263158", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56273", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764349020", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "59394", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764349565", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "59621", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764435421", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "62642", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764435972", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "62872", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + } + ], + "objective": "Falcon Detection Method", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": 5743, + "platform": "Windows", + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkRKuz5yAVx1arYzz8F6EoQAATiFY2__b200KgwYoQJE9K0Q2KZ4e2_mDB--RCpG_pFpOcA==", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": "1226008", + "process_start_time": "1763398081", + "product": "epp", + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "show_in_ui": true, + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "timestamp": "2025-12-03T00:58:00.711Z", + "tree_id": "4295124595", + "tree_root": "1226008", + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:06.191519365Z", + "user_id": "S-1-5-18", + "user_name": "khabibulin$", + "incident_type": "detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "NGAV", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 30, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "khabibulin" + ], + "source_products": [ + "Falcon Insight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:58:00", + "type": "ldt", + "updated_timestamp": "2025-12-03T00:59:06.191519365Z", + "user_name": "khabibulin$", + "agent_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "objective": "Falcon Detection Method", + "tactic": "Machine Learning", + "tactic_id": "CSTA0004", + "technique": "Cloud-based ML", + "technique_id": "CST0008", + "cloud_indicator": "false", + "cmdline": "System", + "control_graph_id": "ctg:6440ce0fd5114f8e8e6cdcf0ebc5326c:4295124595", + "device": { + "agent_load_flags": "16", + "agent_local_time": "2025-12-01T23:10:49.531Z", + "agent_version": "7.31.20309.0", + "bios_manufacturer": "Microsoft Corporation", + "bios_version": "Hyper-V UEFI Release v4.1", + "cid": "f3ffbf3f853a47e380436720053cc831", + "config_id_base": "65994767", + "config_id_build": "20309", + "config_id_platform": "3", + "device_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "external_ip": "20.124.230.220", + "first_seen": "2025-11-17T16:53:32Z", + "groups": [ + "fc5d7087339146c0bb5de6f009aff53c" + ], + "hostinfo": { + "domain": "" + }, + "hostname": "khabibulin", + "instance_id": "90cdaa5d-ebf2-4b2a-8598-936ab1f1ad73", + "last_seen": "2025-12-03T00:43:04Z", + "local_ip": "10.20.20.104", + "mac_address": "7c-1e-52-5c-48-76", + "machine_domain": "", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2025-12-03T00:53:53Z", + "os_version": "Windows 10", + "ou": null, + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "service_provider": "AZURE", + "service_provider_account_id": "3cf328ea-ea57-4000-b9c0-21afc3a6cb1d", + "status": "normal", + "system_manufacturer": "Microsoft Corporation", + "system_product_name": "Virtual Machine" + }, + "filename": "System", + "filepath": "System", + "global_prevalence": "common", + "indicator_id": "ind:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008-5743-3809808", + "local_prevalence": "common", + "local_process_id": 4, + "logon_domain": "WORKGROUP", + "pattern_disposition": 0, + "pattern_disposition_description": "Detection, standard detection.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "containment_file_system": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "mfa_required": false, + "operation_blocked": false, + "policy_disabled": false, + "prevention_provisioning_enabled": false, + "process_blocked": false, + "quarantine_file": false, + "quarantine_machine": false, + "registry_operation_blocked": false, + "response_action_already_applied": false, + "response_action_failed": false, + "response_action_triggered": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "platform": "Windows", + "priority_details": { + "raw_value": 40 + }, + "priority_explanation": [ + "[MOD] The severity of the detection" + ], + "priority_value": 40, + "process_id": 1226008, + "process_start_time": 1763398081, + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "tree_id": 4295124595, + "tree_root": 1226008, + "triggering_process_graph_id": "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:1226008", + "user_id": "S-1-5-18", + "email_sent": "true", + "event_correlation_id": "cba87296-decf-f011-9bde-7c1e525c4876", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": [ + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:160082035", + "pid:6440ce0fd5114f8e8e6cdcf0ebc5326c:131798527" + ], + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "last_updated": "", + "source_account_domain": "", + "source_account_name": "", + "source_account_object_guid": "", + "source_account_object_sid": "", + "source_endpoint_account_object_guid": "", + "source_endpoint_host_name": "", + "start_time": "", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "file_write", + "ioc_type": "hash_sha256", + "ioc_value": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "md5": "fb2407a87c2453ab3150dbd0e9e02439", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc", + "type": "module" + } + ], + "ioc_description": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "ioc_source": "file_write", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": [ + { + "filename": "wsqmanager.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723480" + }, + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723487" + }, + { + "filename": "PSEXESVC.exe", + "filepath": "\\Device\\HarddiskVolume4\\Windows", + "timestamp": "1764723172" + } + ], + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": [ + { + "access_timestamp": "1764176217", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52689", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764176751", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "52916", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764186342", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56900", + "protocol": "TCP", + "remote_address": "54.67.108.17", + "remote_port": "443" + }, + { + "access_timestamp": "1764186414", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56933", + "protocol": "TCP", + "remote_address": "54.183.135.80", + "remote_port": "443" + }, + { + "access_timestamp": "1764262619", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56047", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764263158", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "56273", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764349020", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "59394", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764349565", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "59621", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + }, + { + "access_timestamp": "1764435421", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "62642", + "protocol": "TCP", + "remote_address": "169.254.169.254", + "remote_port": "80" + }, + { + "access_timestamp": "1764435972", + "access_type": 0, + "connection_direction": "Outbound", + "isIPV6": false, + "local_address": "10.20.20.104", + "local_port": "62872", + "protocol": "TCP", + "remote_address": "10.20.10.9", + "remote_port": "445" + } + ], + "lead_id": "", + "associated_files": [ + { + "filepath": "\\Device\\HarddiskVolume4\\Windows\\wsqmanager.exe", + "sha256": "264917f04435c3eb059964f4059a7ced4af53fe4a4900fd5aa2a7053e1a035dc" + } + ], + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "", + "alert_attributes": "", + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:57:30", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "oTzNqW8cAUC9pwaTlXPcmQ==:0:61:140", + "_insert_time": "Dec 02 2025 18:57:46", + "_name": "ProtocolAnomalyValidAccounts", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "confidence": 20, + "context_timestamp": "Dec 02 2025 18:56:29", + "crawled_timestamp": "2025-12-03T00:57:30.67041331Z", + "created_timestamp": "2025-12-03T00:57:30.670399Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "display_name": "Suspicious protocol implementation (valid accounts)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "occurred": "Dec 02 2025 18:57:30", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxuiDgfxMjVA2lujt_8i-xvAAATiGXQjPApmf023IB6lV5-0rCC6_aV4Un-wGmypNOj-CToA==", + "product": "idp", + "rawJSON": { + "active_directory_authentication_method": "5", + "activity_id": "A3477E54-2A5D-4406-9F30-D14CB86FE31C", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "alert_attributes": "0", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "confidence": 20, + "context_timestamp": "2025-12-03T00:56:29.000Z", + "crawled_timestamp": "2025-12-03T00:57:30.67041331Z", + "created_timestamp": "2025-12-03T00:57:30.670399Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "display_name": "Suspicious protocol implementation (valid accounts)", + "end_time": "2025-12-03T00:52:52.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:4C3BAA09-B97A-4811-BCCD-7E1A3A82919A", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "ProtocolAnomalyValidAccounts", + "objective": "Gain Access", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxuiDgfxMjVA2lujt_8i-xvAAATiGXQjPApmf023IB6lV5-0rCC6_aV4Un-wGmypNOj-CToA==", + "product": "idp", + "protocol_anomaly_classification": "1", + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "source_endpoint_host_name": "bannik.skt.local", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-03T00:52:52.000Z", + "status": "new", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "target_account_name": "KHABIBULIN$", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "target_service_access_identifier": "HOST/khabibulin", + "technique": "Valid Accounts", + "technique_id": "T1078", + "timestamp": "2025-12-03T00:56:29.2Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T00:57:30.670399336Z", + "user_name": "Frieda", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:56:29", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T00:57:30.670399336Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "technique": "Valid Accounts", + "technique_id": "T1078", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 18:52:52", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-03T00:57:30.670399336Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_host_name": "bannik.skt.local", + "start_time": "Dec 02 2025 18:52:52", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "target_account_name": "KHABIBULIN$", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "A3477E54-2A5D-4406-9F30-D14CB86FE31C", + "alert_attributes": 0, + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "target_service_access_identifier": "HOST/khabibulin", + "active_directory_authentication_method": 5, + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": 1, + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:02:28", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "yk80/hr9Z9gmYFO+F+DumA==:0:61:140", + "_insert_time": "Dec 02 2025 19:02:46", + "_name": "ProtocolAnomalyValidAccounts", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "confidence": 20, + "context_timestamp": "Dec 02 2025 19:01:26", + "crawled_timestamp": "2025-12-03T01:02:28.631219477Z", + "created_timestamp": "2025-12-03T01:02:28.631212Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "display_name": "Suspicious protocol implementation (valid accounts)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "occurred": "Dec 02 2025 19:02:28", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxw50whFgu7iaXpt8q-9vzwgAATiFOxnBK-8G0UUzyA_u_QAwySrgKNGEH53dc3_wfNOpOgg==", + "product": "idp", + "rawJSON": { + "active_directory_authentication_method": "5", + "activity_id": "4D59473E-C37F-4A66-A809-FA37CB88FE97", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "alert_attributes": "0", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "confidence": 20, + "context_timestamp": "2025-12-03T01:01:26.000Z", + "crawled_timestamp": "2025-12-03T01:02:28.631219477Z", + "created_timestamp": "2025-12-03T01:02:28.631212Z", + "data_domains": [ + "Identity" + ], + "description": "An authentication protocol was used in an unusual manner", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "display_name": "Suspicious protocol implementation (valid accounts)", + "end_time": "2025-12-03T00:57:59.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:24D3A11E-8BEB-4BC1-B329-2450B2592F94", + "mitre_attack": [ + { + "pattern_id": 51103, + "tactic_id": "TA0004", + "technique_id": "T1078", + "tactic": "Privilege Escalation", + "technique": "Valid Accounts" + } + ], + "name": "ProtocolAnomalyValidAccounts", + "objective": "Gain Access", + "pattern_id": 51103, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxw50whFgu7iaXpt8q-9vzwgAATiFOxnBK-8G0UUzyA_u_QAwySrgKNGEH53dc3_wfNOpOgg==", + "product": "idp", + "protocol_anomaly_classification": "1", + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "source_endpoint_host_name": "bannik.skt.local", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-03T00:57:59.000Z", + "status": "new", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "target_account_name": "KHABIBULIN$", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "target_service_access_identifier": "cifs/khabibulin", + "technique": "Valid Accounts", + "technique_id": "T1078", + "timestamp": "2025-12-03T01:01:26.891Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:02:28.631212432Z", + "user_name": "Frieda", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "credential_theft", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 31, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 19:01:26", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:02:28.631212432Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Privilege Escalation", + "tactic_id": "TA0004", + "technique": "Valid Accounts", + "technique_id": "T1078", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 18:57:59", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-03T01:02:28.631212432Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_host_name": "bannik.skt.local", + "start_time": "Dec 02 2025 18:57:59", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "target_account_name": "KHABIBULIN$", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "4D59473E-C37F-4A66-A809-FA37CB88FE97", + "alert_attributes": 0, + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "target_service_access_identifier": "cifs/khabibulin", + "active_directory_authentication_method": 5, + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": 1, + "protocol_anomaly_classification_list": [ + "GENERAL_PROTOCOL_ANOMALY" + ], + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 18:55:29", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "RS+aak2r/DtTZf3iaBk+bg==:1:61:140", + "_insert_time": "Dec 02 2025 18:56:25", + "_name": "AnomalousNewServerAccess", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "confidence": 20, + "context_timestamp": "Dec 02 2025 18:54:28", + "crawled_timestamp": "2025-12-03T00:55:29.597692668Z", + "created_timestamp": "2025-12-03T00:55:29.597678Z", + "data_domains": [ + "Identity" + ], + "description": "A user performed a service access to an endpoint for the first time", + "display_name": "Unusual service access to an endpoint", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51137, + "tactic_id": "TA0001", + "technique_id": "T1078", + "tactic": "Initial Access", + "technique": "Valid Accounts" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "occurred": "Dec 02 2025 18:55:29", + "pattern_id": 51137, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIt4PTTV0Xw9BlxCLUPD8ZwAATiHC67SmC3MdsC0srZnGWxcFpgzcmQD7QgCin8uUqO5nxA==", + "product": "idp", + "rawJSON": { + "activity_id": "A3477E54-2A5D-4406-9F30-D14CB86FE31C", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "alert_attributes": "770", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "confidence": 20, + "context_timestamp": "2025-12-03T00:54:28.000Z", + "crawled_timestamp": "2025-12-03T00:55:29.597692668Z", + "created_timestamp": "2025-12-03T00:55:29.597678Z", + "data_domains": [ + "Identity" + ], + "description": "A user performed a service access to an endpoint for the first time", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "display_name": "Unusual service access to an endpoint", + "end_time": "2025-12-03T00:52:52.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "bannik.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:651A129C-5892-4B37-9DF4-6B3CC120DFED", + "mitre_attack": [ + { + "pattern_id": 51137, + "tactic_id": "TA0001", + "technique_id": "T1078", + "tactic": "Initial Access", + "technique": "Valid Accounts" + } + ], + "name": "AnomalousNewServerAccess", + "objective": "Gain Access", + "pattern_id": 51137, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxIt4PTTV0Xw9BlxCLUPD8ZwAATiHC67SmC3MdsC0srZnGWxcFpgzcmQD7QgCin8uUqO5nxA==", + "product": "idp", + "scenario": "machine_learning", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 27, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "source_endpoint_host_name": "bannik.skt.local", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-03T00:52:52.000Z", + "status": "new", + "tactic": "Initial Access", + "tactic_id": "TA0001", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "target_service_access_identifier": "HOST/khabibulin", + "technique": "Valid Accounts", + "technique_id": "T1078", + "timestamp": "2025-12-03T00:54:28.168Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T00:55:29.597678325Z", + "user_name": "Frieda", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "machine_learning", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 27, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "bannik.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 18:54:28", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T00:55:29.597678325Z", + "user_name": "Frieda", + "agent_id": "52917f37b9d44993b4d0f0d9024236a1", + "objective": "Gain Access", + "tactic": "Initial Access", + "tactic_id": "TA0001", + "technique": "Valid Accounts", + "technique_id": "T1078", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 18:52:52", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-03T00:55:29.597678325Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Frieda", + "source_account_object_guid": "90BE12A8-4AB8-4463-814B-CCAF7EF3A9F8", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1113", + "source_endpoint_account_object_guid": "0E567FA0-E51B-4177-89AA-AD0B493674B4", + "source_endpoint_host_name": "bannik.skt.local", + "start_time": "Dec 02 2025 18:52:52", + "destination_hosts": [ + "khabibulin.skt.local" + ], + "target_account_name": "", + "target_endpoint_host_name": "khabibulin.skt.local", + "target_endpoint_sensor_id": "6440ce0fd5114f8e8e6cdcf0ebc5326c", + "source_endpoint_sensor_id": "52917f37b9d44993b4d0f0d9024236a1", + "target_endpoint_account_object_guid": "E95E2161-50BB-4424-A838-3A0B7FB1152F", + "target_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1116", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "A3477E54-2A5D-4406-9F30-D14CB86FE31C", + "alert_attributes": 770, + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1000", + "target_service_access_identifier": "HOST/khabibulin", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:18:34", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "d4+w7FMx0UshFYwNb4y6mg==:0:61:140", + "_insert_time": "Dec 02 2025 19:18:46", + "_name": "AnomalousNewEndpointUsage", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "confidence": 20, + "context_timestamp": "Dec 02 2025 19:17:33", + "crawled_timestamp": "2025-12-03T01:18:34.560819196Z", + "created_timestamp": "2025-12-03T01:18:34.560808Z", + "data_domains": [ + "Identity" + ], + "description": "A user logged in to a machine for the first time", + "display_name": "Unusual login to an endpoint", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "kagarov.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51135, + "tactic_id": "TA0001", + "technique_id": "T1078", + "tactic": "Initial Access", + "technique": "Valid Accounts" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "occurred": "Dec 02 2025 19:18:34", + "pattern_id": 51135, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkHpyRiaB-iFGwkB_uGtuFAAATiGLTnrmNdglvobHya6weHetoagP7Zr-0-TMVWvoeBfqXA==", + "product": "idp", + "rawJSON": { + "activity_id": "16982B98-FA70-484F-8179-BB480B09AF12", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "alert_attributes": "0", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "confidence": 20, + "context_timestamp": "2025-12-03T01:17:33.000Z", + "crawled_timestamp": "2025-12-03T01:18:34.560819196Z", + "created_timestamp": "2025-12-03T01:18:34.560808Z", + "data_domains": [ + "Identity" + ], + "description": "A user logged in to a machine for the first time", + "display_name": "Unusual login to an endpoint", + "end_time": "2025-12-03T01:15:31.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "kagarov.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:88ED28C9-6060-4D48-A62F-7EB1358EE406", + "mitre_attack": [ + { + "pattern_id": 51135, + "tactic_id": "TA0001", + "technique_id": "T1078", + "tactic": "Initial Access", + "technique": "Valid Accounts" + } + ], + "name": "AnomalousNewEndpointUsage", + "objective": "Gain Access", + "pattern_id": 51135, + "poly_id": "AADz_78_hTpH44BDZyAFPMgxkHpyRiaB-iFGwkB_uGtuFAAATiGLTnrmNdglvobHya6weHetoagP7Zr-0-TMVWvoeBfqXA==", + "product": "idp", + "scenario": "machine_learning", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 15, + "severity_name": "Informational", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Adalwolfa", + "source_account_object_guid": "E5DC79B5-FF69-4816-9B76-E90EAEDD2D39", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1112", + "source_endpoint_account_object_guid": "F21EC6CA-196A-4835-B310-283F7D77D71A", + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1160", + "source_endpoint_address_ip4": "10.20.10.23", + "source_endpoint_host_name": "kagarov.skt.local", + "source_endpoint_ip_address": "10.20.10.23", + "source_hosts": [ + "kagarov.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-03T01:15:31.000Z", + "status": "new", + "tactic": "Initial Access", + "tactic_id": "TA0001", + "technique": "Valid Accounts", + "technique_id": "T1078", + "timestamp": "2025-12-03T01:17:33.105Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:18:34.560808866Z", + "user_name": "Adalwolfa", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "machine_learning", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 15, + "severity_name": "Informational", + "show_in_ui": "true", + "source_hosts": [ + "kagarov.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 19:17:33", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:18:34.560808866Z", + "user_name": "Adalwolfa", + "agent_id": "", + "objective": "Gain Access", + "tactic": "Initial Access", + "tactic_id": "TA0001", + "technique": "Valid Accounts", + "technique_id": "T1078", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 19:15:31", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-03T01:18:34.560808866Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "Adalwolfa", + "source_account_object_guid": "E5DC79B5-FF69-4816-9B76-E90EAEDD2D39", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1112", + "source_endpoint_account_object_guid": "F21EC6CA-196A-4835-B310-283F7D77D71A", + "source_endpoint_host_name": "kagarov.skt.local", + "start_time": "Dec 02 2025 19:15:31", + "destination_hosts": "", + "target_account_name": "", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "", + "source_endpoint_address_ip4": "10.20.10.23", + "source_endpoint_ip_address": "10.20.10.23", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "16982B98-FA70-484F-8179-BB480B09AF12", + "alert_attributes": 0, + "source_endpoint_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1160", + "target_service_access_identifier": "", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + }, + { + "_time": "Dec 02 2025 19:17:28", + "_collector_name": "CrowdstrikeFalcon_instance_1", + "_collector_type": "CrowdstrikeFalcon", + "_entry_status": "updated", + "_final_reporting_device_ip": "35.225.156.101", + "_final_reporting_device_name": "https://api.crowdstrike.com", + "_id": "MnLYONtTjgPEX541if7NRA==:0:61:140", + "_insert_time": "Dec 02 2025 19:17:46", + "_name": "KerberoastingAttempt", + "_product": "Falcon_Event", + "_reporting_device_ip": "35.225.156.101", + "_reporting_device_name": "https://api.crowdstrike.com", + "_source_log_type": "detection", + "_vendor": "CrowdStrike", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "confidence": 60, + "context_timestamp": "Dec 02 2025 19:16:26", + "crawled_timestamp": "2025-12-03T01:17:28.040504695Z", + "created_timestamp": "2025-12-03T01:17:28.040490Z", + "data_domains": [ + "Identity" + ], + "description": "An end user accessed a service that they had not previously used. The service is provided by a user entity.", + "display_name": "Unusual access to a user entity (Kerberoasting)", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "kagarov.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "incident_type": "IDP detection", + "mirror_direction": "null", + "mirror_instance": "CrowdstrikeFalcon_instance_1", + "mitre_attack": [ + { + "pattern_id": 51165, + "tactic_id": "TA0006", + "technique_id": "T1558", + "tactic": "Credential Access", + "technique": "Steal or Forge Kerberos Tickets" + } + ], + "name": "IDP Detection ID: f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "occurred": "Dec 02 2025 19:17:28", + "pattern_id": 51165, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx62juArowcGsHhGOQhL284gAATiGUWvCiZo89aM7P_LP51p--sZuUNjgkOLXDQNhMU0hxZg==", + "product": "idp", + "rawJSON": { + "activity_id": "EDBC8CA6-49DC-4CE8-BE7A-22ED111EB50C", + "aggregate_id": "aggind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "alert_attributes": "258", + "cid": "f3ffbf3f853a47e380436720053cc831", + "composite_id": "f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "confidence": 60, + "context_timestamp": "2025-12-03T01:16:26.000Z", + "crawled_timestamp": "2025-12-03T01:17:28.040504695Z", + "created_timestamp": "2025-12-03T01:17:28.040490Z", + "data_domains": [ + "Identity" + ], + "description": "An end user accessed a service that they had not previously used. The service is provided by a user entity.", + "display_name": "Unusual access to a user entity (Kerberoasting)", + "end_time": "2025-12-03T01:11:17.000Z", + "falcon_host_link": "https://falcon.crowdstrike.com/identity-protection/detections/f3ffbf3f853a47e380436720053cc831:ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B?_cid=g03000j5nicyinazevbprb2mgpmfywmq", + "host_names": [ + "kagarov.skt.local" + ], + "id": "ind:f3ffbf3f853a47e380436720053cc831:6E4DAF0A-FE96-41C5-ACCD-C128C3344F5B", + "mitre_attack": [ + { + "pattern_id": 51165, + "tactic_id": "TA0006", + "technique_id": "T1558", + "tactic": "Credential Access", + "technique": "Steal or Forge Kerberos Tickets" + } + ], + "name": "KerberoastingAttempt", + "objective": "Gain Access", + "pattern_id": 51165, + "poly_id": "AADz_78_hTpH44BDZyAFPMgx62juArowcGsHhGOQhL284gAATiGUWvCiZo89aM7P_LP51p--sZuUNjgkOLXDQNhMU0hxZg==", + "product": "idp", + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 27, + "severity_name": "Low", + "show_in_ui": true, + "source_account_domain": "SKT.LOCAL", + "source_account_name": "evals_domain_admin", + "source_account_object_guid": "6B4ECA3D-426B-4CE6-A9B3-6CE9E2C33E3B", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1107", + "source_account_upn": "evals_domain_admin@skt.local", + "source_endpoint_account_object_guid": "FC3AFBC7-C4F3-4D96-A94E-C8D07A0A9C65", + "source_endpoint_host_name": "kagarov.skt.local", + "source_hosts": [ + "kagarov.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "start_time": "2025-12-03T01:11:17.000Z", + "status": "new", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "target_account_name": "krbtgt", + "target_service_access_identifier": "kadmin/changepw", + "technique": "Steal or Forge Kerberos Tickets", + "technique_id": "T1558", + "timestamp": "2025-12-03T01:16:26.377Z", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:17:28.04049091Z", + "user_name": "evals_domain_admin", + "incident_type": "IDP detection", + "mirror_direction": null, + "mirror_instance": "CrowdstrikeFalcon_instance_1" + }, + "scenario": "suspicious_activity", + "seconds_to_resolved": 0, + "seconds_to_triaged": 0, + "severity": 27, + "severity_name": "Low", + "show_in_ui": "true", + "source_hosts": [ + "kagarov.skt.local" + ], + "source_products": [ + "Falcon Identity Protection" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "timestamp": "Dec 02 2025 19:16:26", + "type": "idp-session-source-user-endpoint-target-info", + "updated_timestamp": "2025-12-03T01:17:28.04049091Z", + "user_name": "evals_domain_admin", + "agent_id": "", + "objective": "Gain Access", + "tactic": "Credential Access", + "tactic_id": "TA0006", + "technique": "Steal or Forge Kerberos Tickets", + "technique_id": "T1558", + "cloud_indicator": "", + "cmdline": "", + "control_graph_id": "", + "device": "", + "filename": "", + "filepath": "", + "global_prevalence": "", + "indicator_id": "", + "local_prevalence": "", + "local_process_id": "", + "logon_domain": "", + "pattern_disposition": "", + "pattern_disposition_description": "", + "pattern_disposition_details": "", + "platform": "", + "priority_details": "", + "priority_explanation": "", + "priority_value": "", + "process_id": "", + "process_start_time": "", + "sha256": "", + "tree_id": "", + "tree_root": "", + "triggering_process_graph_id": "", + "user_id": "", + "email_sent": "", + "event_correlation_id": "", + "md5": "", + "alleged_filetype": "", + "parent_process_id": "", + "sha1": "", + "parent_details": "", + "grandparent_details": "", + "user_principal": "", + "child_process_ids": "", + "process_end_time": "", + "incident": "", + "template_instance_id": "", + "end_time": "Dec 02 2025 19:11:17", + "ioc_type": "", + "ioc_value": "", + "last_updated": "2025-12-03T01:17:28.04049091Z", + "source_account_domain": "SKT.LOCAL", + "source_account_name": "evals_domain_admin", + "source_account_object_guid": "6B4ECA3D-426B-4CE6-A9B3-6CE9E2C33E3B", + "source_account_object_sid": "S-1-5-21-4168186624-547105363-3065826963-1107", + "source_endpoint_account_object_guid": "FC3AFBC7-C4F3-4D96-A94E-C8D07A0A9C65", + "source_endpoint_host_name": "kagarov.skt.local", + "start_time": "Dec 02 2025 19:11:17", + "destination_hosts": "", + "target_account_name": "krbtgt", + "target_endpoint_host_name": "", + "target_endpoint_sensor_id": "", + "source_endpoint_sensor_id": "", + "target_endpoint_account_object_guid": "", + "target_endpoint_account_object_sid": "", + "ioc_context": "", + "ioc_description": "", + "ioc_source": "", + "source_account_upn": "evals_domain_admin@skt.local", + "source_endpoint_address_ip4": "", + "source_endpoint_ip_address": "", + "idp_policy_rule_id": "", + "idp_policy_rule_name": "", + "source_account_sam_account_name": "", + "files_written": "", + "idp_policy_enforced_externally": "", + "idp_policy_rule_action": "", + "idp_policy_rule_action_list": "", + "idp_policy_rule_trigger": "", + "network_accesses": "", + "lead_id": "", + "associated_files": "", + "idp_policy_mfa_factor_type": "", + "idp_policy_mfa_provider": "", + "files_accessed": "", + "activity_id": "EDBC8CA6-49DC-4CE8-BE7A-22ED111EB50C", + "alert_attributes": 258, + "source_endpoint_account_object_sid": "", + "target_service_access_identifier": "kadmin/changepw", + "active_directory_authentication_method": "", + "detection_context": "", + "dns_requests": "", + "protocol_anomaly_classification": "", + "protocol_anomaly_classification_list": "", + "template_interface_id": "", + "template_interface_name": "", + "external": "", + "overwatch_note": "", + "overwatch_note_timestamp": "", + "quarantined_files": "", + "_device_id": "", + "_raw_json": "", + "_raw_log": "", + "_tag": "", + "added_privileges": "", + "ldap_search_query_attack": "", + "previous_privileges": "", + "privileges": "", + "target_domain_controller_object_guid": "", + "target_domain_controller_object_sid": "" + } +] diff --git a/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1.json b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1.json new file mode 100644 index 0000000..a549f8d --- /dev/null +++ b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1.json @@ -0,0 +1,20 @@ +{ + "allRead": true, + "allReadWrite": false, + "dbotCreated": false, + "description": "Turla Carbon scenario — Proofpoint TAP email threat events (December 2025). 2 events: messages delivered (NTFVersion.exe spearphish to Gunter@SKT.LOCAL) and clicks permitted. Used by SOCFWPoVSender to replay the email initial access leg of the Turla Carbon attack chain alongside the CrowdStrike EDR events.", + "fromVersion": "6.5.0", + "id": "SOCFWPoVData_TAP_TurlaCarbon_V1", + "itemVersion": "", + "locked": false, + "name": "SOCFWPoVData_TAP_TurlaCarbon_V1", + "display_name": "SOCFWPoVData_TAP_TurlaCarbon_V1", + "packID": "soc-framework-pov-test", + "propagationLabels": ["all"], + "system": false, + "tags": [], + "toVersion": "", + "truncated": false, + "type": "json", + "version": -1 +} diff --git a/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1_data.json b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1_data.json new file mode 100644 index 0000000..8e5399f --- /dev/null +++ b/Packs/soc-framework-pov-test/Lists/SOCFWPoVData_TAP_TurlaCarbon_V1/SOCFWPoVData_TAP_TurlaCarbon_V1_data.json @@ -0,0 +1,200 @@ +[ + { + "_time": "2025-12-02T13:00:00.000Z", + "type": "messages delivered", + "GUID": "TAP-GUID-TURLA-DELIVERY-001", + "id": "TAP-GUID-TURLA-DELIVERY-001", + "messageID": "", + "sender": "noreply@sktlocal.it", + "senderIP": "198.51.100.45", + "recipient": [ + "Gunter@SKT.LOCAL" + ], + "subject": "Windows Security Update - Action Required", + "headerFrom": "noreply@sktlocal.it", + "headerReplyTo": "noreply@sktlocal.it", + "replyToAddress": [ + "noreply@sktlocal.it" + ], + "campaignId": "turla-carbon-spearphish-skt-2025", + "threatStatus": "active", + "threatTime": "2025-12-02T12:58:00.000Z", + "threatsInfoMap": [ + { + "threatID": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", + "threatStatus": "active", + "classification": "phish", + "threatType": "url", + "threatUrl": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "threat": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "threatTime": "2025-12-02T12:58:00.000Z", + "campaignID": "turla-carbon-spearphish-skt-2025", + "actors": [ + { + "id": "actor-turla", + "name": "Turla" + } + ], + "malwareFamilies": [ + "EPIC", + "Carbon" + ], + "malwareFamily": "EPIC", + "detectionType": "STATIC", + "domain": "brieftragerin.skt.local" + } + ], + "messageParts": [ + { + "contentType": "text/html", + "disposition": "inline", + "filename": "", + "md5": "", + "sha256": "", + "oContentType": "text/html", + "sandboxStatus": null + } + ], + "phishScore": 98, + "spamScore": 72, + "malwareScore": 0, + "impostorScore": 0, + "messageSize": 14825, + "messageTime": "2025-12-02T13:00:00.000Z", + "clickIP": "", + "clickTime": "", + "userAgent": "", + "policyRoutes": [ + "default_inbound" + ], + "modulesRun": [ + "spam", + "phish", + "urldefense", + "sandbox" + ], + "QID": "TAP-2025120213000001", + "toAddresses": [ + "Gunter@SKT.LOCAL" + ], + "ccAddresses": [], + "completelyRewritten": "true", + "xmailer": "", + "scenario_name": "Turla Carbon - EPIC Initial Access via Spearphishing" + }, + { + "_time": "2025-12-02T13:20:00.000Z", + "type": "clicks permitted", + "GUID": "TAP-GUID-TURLA-CLICK-002", + "id": "TAP-GUID-TURLA-CLICK-002", + "messageID": "", + "sender": "noreply@sktlocal.it", + "senderIP": "198.51.100.45", + "recipient": "Gunter@SKT.LOCAL", + "subject": "Windows Security Update - Action Required", + "headerFrom": "noreply@sktlocal.it", + "headerReplyTo": "noreply@sktlocal.it", + "replyToAddress": [ + "noreply@sktlocal.it" + ], + "campaignId": "turla-carbon-spearphish-skt-2025", + "threatStatus": "active", + "threatTime": "2025-12-02T12:58:00.000Z", + "threatsInfoMap": [ + { + "threatID": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", + "threatStatus": "active", + "classification": "phish", + "threatType": "url", + "threatUrl": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "threat": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "threatTime": "2025-12-02T12:58:00.000Z", + "campaignID": "turla-carbon-spearphish-skt-2025", + "actors": [ + { + "id": "actor-turla", + "name": "Turla" + } + ], + "malwareFamilies": [ + "EPIC", + "Carbon" + ], + "malwareFamily": "EPIC", + "detectionType": "STATIC", + "domain": "brieftragerin.skt.local" + }, + { + "threatID": "b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3", + "threatStatus": "active", + "classification": "malware", + "threatType": "attachment", + "threat": "NTFVersion.exe", + "threatTime": "2025-12-02T13:18:00.000Z", + "campaignID": "turla-carbon-spearphish-skt-2025", + "actors": [ + { + "id": "actor-turla", + "name": "Turla" + } + ], + "malwareFamilies": [ + "EPIC" + ], + "malwareFamily": "EPIC", + "detectionType": "SANDBOX", + "sandboxStatus": "malicious" + } + ], + "messageParts": [ + { + "contentType": "text/html", + "disposition": "inline", + "filename": "", + "md5": "", + "sha256": "", + "oContentType": "text/html", + "sandboxStatus": null + }, + { + "contentType": "application/octet-stream", + "disposition": "attached", + "filename": "NTFVersion.exe", + "md5": "d41d8cd98f00b204e9800998ecf8427e", + "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "oContentType": "application/x-msdownload", + "sandboxStatus": "malicious", + "sandboxVerdict": "MALICIOUS", + "malwareFamily": "EPIC", + "threatType": "attachment", + "threatId": "b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3" + } + ], + "phishScore": 98, + "spamScore": 72, + "malwareScore": 95, + "impostorScore": 0, + "messageSize": 14825, + "messageTime": "2025-12-02T13:00:00.000Z", + "clickIP": "10.20.20.102", + "clickTime": "2025-12-02T13:20:00.000Z", + "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0", + "policyRoutes": [ + "default_inbound" + ], + "modulesRun": [ + "spam", + "phish", + "urldefense", + "sandbox" + ], + "QID": "TAP-2025120213200002", + "toAddresses": [ + "Gunter@SKT.LOCAL" + ], + "ccAddresses": [], + "completelyRewritten": "true", + "xmailer": "", + "scenario_name": "Turla Carbon - EPIC Initial Access via Spearphishing" + } +] diff --git a/Packs/soc-framework-pov-test/POST_CONFIG_README.md b/Packs/soc-framework-pov-test/POST_CONFIG_README.md new file mode 100644 index 0000000..0de4a18 --- /dev/null +++ b/Packs/soc-framework-pov-test/POST_CONFIG_README.md @@ -0,0 +1,83 @@ +# Post-Configuration — SOC Framework PoV Test Pack + +--- + +## Running the Turla Carbon scenario + +Open any case war room or the playground and run both commands. +Run order does not matter — global_min/global_max synchronises the time axis. + +``` +!socfw-pov-send-data list_name=SOCFWPoVData_CrowdStrike_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + using=socfw_pov_crowdstrike_sender + +!socfw-pov-send-data list_name=SOCFWPoVData_TAP_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + using=socfw_pov_tap_sender +``` + +Navigate to **Cases & Issues → Cases**. Cases should appear within seconds +for real-time correlation rules. Up to 10 minutes for scheduled rules. + +### What you should see + +- Proofpoint TAP alert: `[Email] Gunter@SKT.LOCAL - Initial Access: Threat Email Delivered` +- CrowdStrike alerts: `[Endpoint] Gunter@SKT.LOCAL - Command and Control: ...` (138 events → grouped) +- XSIAM groups both sources into one case via shared `Gunter@SKT.LOCAL` username +- SOC Framework runs in shadow mode — AI narrative spans both sources + +--- + +## Replaying the scenario + +Each run rotates suppression IDs automatically so correlation rules fire again +regardless of how recently the previous run was. Just re-run the same commands. + +To compress into a shorter window (e.g. for a 30-minute live demo): +``` +!socfw-pov-send-data list_name=SOCFWPoVData_CrowdStrike_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + compress_window=30m using=socfw_pov_crowdstrike_sender +``` + +--- + +## Set the teardown reminder + +Go to **Automation → Jobs → POV Teardown Reminder V1**. +Set the schedule to fire on the last day of the PoV. The JOB creates a +High severity case titled `ACTION REQUIRED: Uninstall SOC Framework PoV Test Pack` +with the full uninstall checklist. + +--- + +## Teardown (before PS handoff) + +Complete in order: + +``` +☐ 1. Delete socfw_pov_crowdstrike HTTP Collector + Settings → Data Sources → socfw_pov_crowdstrike → Delete +☐ 2. Delete socfw_pov_tap HTTP Collector +☐ 3. Uninstall soc-framework-pov-test from Marketplace +☐ 4. Set shadow_mode = false per action in SOCFrameworkActions_V3 to go live +☐ 5. Close the teardown reminder case +``` + +The integration instances and list data are removed automatically when the pack +is uninstalled. + +--- + +## Adding future scenarios (XDR agent, MS Defender, etc.) + +When you have a new TSV: +1. Add it as a new List following the `SOCFWPoVData___V1` naming convention +2. Create a new HTTP Collector in XSIAM for the target dataset +3. Add a new `SOCFWPoVSender` integration instance pointing to that collector +4. Run `!socfw-pov-send-data` with the new list name and instance + +No code changes to `SOCFWPoVSender.py` required for new vendors as long as +normalization is not needed. For new normalization logic (new suppression fields, +new UPN reconstruction patterns), add a branch in `normalize_events()`. diff --git a/Packs/soc-framework-pov-test/PRE_CONFIG_README.md b/Packs/soc-framework-pov-test/PRE_CONFIG_README.md new file mode 100644 index 0000000..e0ac284 --- /dev/null +++ b/Packs/soc-framework-pov-test/PRE_CONFIG_README.md @@ -0,0 +1,72 @@ +# Pre-Configuration — SOC Framework PoV Test Pack + +Complete these steps **before** installing this pack. +You need one HTTP Collector per data source. + +--- + +## Create HTTP Collectors in XSIAM + +In XSIAM navigate to **Settings → Data Sources → Add Data Source → HTTP Collector**. + +Create two collectors — one per source. Use these exact product/vendor values +so events land in the correct datasets and the existing correlation rules fire. + +### Collector 1 — CrowdStrike Falcon + +| Field | Value | +|---|---| +| Name | `socfw_pov_crowdstrike` | +| Vendor | `CrowdStrike` | +| Product | `Falcon` | +| Dataset | `crowdstrike_falcon_event_raw` (auto-created) | + +After saving: copy the **Endpoint URL** and **API Key** — you'll paste them into +the `socfw_pov_crowdstrike_sender` integration instance after install. + +### Collector 2 — Proofpoint TAP + +| Field | Value | +|---|---| +| Name | `socfw_pov_tap` | +| Vendor | `Proofpoint` | +| Product | `TAP` | +| Dataset | `proofpoint_tap_v2_generic_alert_raw` (auto-created) | + +After saving: copy the **Endpoint URL** and **API Key** for the +`socfw_pov_tap_sender` integration instance. + +--- + +## Verify existing correlation rules are enabled + +The scenario data only produces cases if the correlation rules are active. +Confirm in **Detection Rules → Correlation**: + +- `SOC CrowdStrike Falcon - Endpoint Alerts` → Enabled +- `SOC Proofpoint TAP - Threat Detected` → Enabled + +If these rules are not installed, install `SocFrameworkCrowdstrikeFalcon` +and `SocFrameworkProofPointTap` packs first. + +--- + +## Install the pack + +Install `soc-framework-pov-test` from the Marketplace or via SDK upload. + +After install, go to **Settings → Integrations** and configure: + +**`socfw_pov_crowdstrike_sender`** +- HTTP Collector URL → paste CrowdStrike collector URL +- API Key → paste CrowdStrike collector API key +- Source Name → `crowdstrike` (pre-filled) + +**`socfw_pov_tap_sender`** +- HTTP Collector URL → paste TAP collector URL +- API Key → paste TAP collector API key +- Source Name → `proofpoint` (pre-filled) + +Click **Test** on each instance — should return `ok`. + +See `POST_CONFIG_README.md` for running the scenario. diff --git a/Packs/soc-framework-pov-test/Playbooks/JOB_-_POV_Teardown_Reminder_V1.yml b/Packs/soc-framework-pov-test/Playbooks/JOB_-_POV_Teardown_Reminder_V1.yml new file mode 100644 index 0000000..8bbe19e --- /dev/null +++ b/Packs/soc-framework-pov-test/Playbooks/JOB_-_POV_Teardown_Reminder_V1.yml @@ -0,0 +1,130 @@ +adopted: true +id: JOB - POV Teardown Reminder V1 +version: -1 +name: JOB - POV Teardown Reminder V1 +description: |- + Scheduled reminder to uninstall the SOC Framework PoV Test pack after the PoV ends. + Creates a High severity case with the full uninstall checklist in the war room. + + SETUP: After installing soc-framework-pov-test, go to Automation → Jobs → + POV Teardown Reminder V1 → set the schedule to fire on the last day of the PoV. + + Do not leave this pack installed on a tenant going to production. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: c3d4e5f6-0003-0003-0003-000000000001 + type: start + task: + id: c3d4e5f6-0003-0003-0003-000000000001 + version: -1 + name: "" + iscommand: false + brand: "" + description: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": {"x": 450, "y": 50} + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + + "1": + id: "1" + taskid: c3d4e5f6-0003-0003-0003-000000000002 + type: regular + task: + id: c3d4e5f6-0003-0003-0003-000000000002 + version: -1 + name: Create uninstall reminder case + description: |- + Creates a High severity case visible in the analyst queue. + The case name and war room entry contain the full uninstall checklist. + script: '|||CreateNewIncident' + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + name: + simple: "ACTION REQUIRED: Uninstall SOC Framework PoV Test Pack" + severity: + simple: "3" + type: + simple: "Other" + details: + simple: |- + The SOC Framework PoV has ended. The soc-framework-pov-test pack must be + uninstalled before this tenant goes to production or is handed off to PS. + + UNINSTALL CHECKLIST: + ☐ 1. Delete the socfw_pov_crowdstrike_sender integration instance + Settings → Integrations → search "socfw_pov" → delete both instances + ☐ 2. Delete the socfw_pov_tap_sender integration instance + ☐ 3. Uninstall soc-framework-pov-test from Marketplace + ☐ 4. Confirm SOCFWPoVData_* lists are removed + ☐ 5. Disable or delete this JOB (POV Teardown Reminder V1) + ☐ 6. Set shadow_mode = false per action in SOCFrameworkActions_V3 to go live + + After completing the above, close this case. + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": {"x": 450, "y": 175} + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + + "2": + id: "2" + taskid: c3d4e5f6-0003-0003-0003-000000000003 + type: title + task: + id: c3d4e5f6-0003-0003-0003-000000000003 + version: -1 + name: Reminder case created + type: title + iscommand: false + brand: "" + description: |- + Reminder case is now visible in Cases & Issues. + The DC or PS engineer must complete the uninstall checklist and close the case. + nexttasks: + '#none#': [] + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": {"x": 450, "y": 325} + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + +system: true +fromversion: 8.0.0 +tags: + - SOCFramework + - PoV diff --git a/Packs/soc-framework-pov-test/README.md b/Packs/soc-framework-pov-test/README.md new file mode 100644 index 0000000..0577c61 --- /dev/null +++ b/Packs/soc-framework-pov-test/README.md @@ -0,0 +1,70 @@ +# SOC Framework PoV Test Pack + +Enables repeatable, safe attack scenario replay for SOC Framework PoV demonstrations. +Sends scenario event data into XSIAM via HTTP Collector so correlation rules fire +exactly as they would on real vendor data. + +**Install on PoV and dev tenants only. Uninstall before PS handoff.** + +--- + +## How it works + +``` +XSIAM List (scenario data) + ↓ SOCFWPoVSender integration + ↓ timestamp rebase → suppress ID rotation → HTTP POST +HTTP Collector endpoint + ↓ +vendor dataset (crowdstrike_falcon_event_raw, proofpoint_tap_v2_generic_alert_raw, ...) + ↓ +Correlation rule fires → XSIAM alert → Case → SOC Framework runs +``` + +--- + +## DC workflow + +**1. Install pack and configure integration instances** + +See `PRE_CONFIG_README.md` for HTTP Collector setup. +After install, edit each integration instance and paste the URL and API key. + +**2. Run the scenario from any case war room or playground** + +``` +# Send CrowdStrike EDR events +!socfw-pov-send-data list_name=SOCFWPoVData_CrowdStrike_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + using=socfw_pov_crowdstrike_sender + +# Send Proofpoint TAP email events +!socfw-pov-send-data list_name=SOCFWPoVData_TAP_TurlaCarbon_V1 + global_min=2025-12-02T13:00:00Z global_max=2025-12-04T12:01:07Z + using=socfw_pov_tap_sender +``` + +Watch Cases & Issues → Cases. Cases form within seconds (real-time rules). + +**3. Set the teardown reminder** + +Go to Automation → Jobs → POV Teardown Reminder V1 → set schedule to last day of PoV. + +--- + +## Scenarios + +| Scenario | Lists | global_min | global_max | +|---|---|---|---| +| Turla Carbon (CS + TAP) | `SOCFWPoVData_CrowdStrike_TurlaCarbon_V1` + `SOCFWPoVData_TAP_TurlaCarbon_V1` | `2025-12-02T13:00:00Z` | `2025-12-04T12:01:07Z` | + +--- + +## Adding a new scenario source (e.g. XDR agent) + +1. Build the TSV from the lab execution +2. Add it as a new List in the pack following the same naming convention +3. Add a third integration instance in `xsoar_config.json` pointing to the correct HTTP Collector +4. Run `!socfw-pov-send-data` with the new list name and instance — same global_min/max + +No code changes needed. diff --git a/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.py b/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.py new file mode 100644 index 0000000..ebe2744 --- /dev/null +++ b/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.py @@ -0,0 +1,317 @@ +import demistomock as demisto # type: ignore +from CommonServerPython import * # type: ignore + +import json +import re +import uuid +from datetime import datetime, timezone, timedelta +from typing import Any, Dict, List, Optional, Tuple + + +# ── Constants ───────────────────────────────────────────────────────────────── + +_TIME_FIELD_CANDIDATES = [ + "_time", "created_timestamp", "event_creation_time", "eventCreationTime", + "EventTimestamp", "messageTime", "clickTime", "threatTime", "timestamp", + "@timestamp", "observation_time", "context_timestamp", +] + +_REBASE_FIELDS = set(_TIME_FIELD_CANDIDATES) | {"crawled_timestamp", "_insert_time"} + +_FALLBACK_FORMATS = [ + "%b %d %Y %H:%M:%S", + "%Y-%m-%dT%H:%M:%S.%f%z", + "%Y-%m-%dT%H:%M:%S%z", + "%Y-%m-%d %H:%M:%S", +] + + +# ── Timestamp helpers — identical logic to replay_scenario.py ───────────────── + +def _parse_timestamp(raw: str) -> Optional[datetime]: + s = raw.strip() + if not s: + return None + normalized = s + if normalized.endswith("Z"): + normalized = normalized[:-1] + "+00:00" + normalized = re.sub( + r"(\d{2}:\d{2}:\d{2})\.(\d+)", + lambda m: m.group(1) + "." + m.group(2)[:6].ljust(6, "0"), + normalized, + ) + try: + dt = datetime.fromisoformat(normalized) + return dt if dt.tzinfo else dt.replace(tzinfo=timezone.utc) + except ValueError: + pass + for fmt in _FALLBACK_FORMATS: + try: + dt = datetime.strptime(s, fmt) + return dt if dt.tzinfo else dt.replace(tzinfo=timezone.utc) + except ValueError: + continue + return None + + +def detect_time_field(events: List[Dict[str, Any]]) -> Optional[str]: + for field in _TIME_FIELD_CANDIDATES: + for ev in events[:5]: + raw = ev.get(field) + if isinstance(raw, str) and _parse_timestamp(raw): + return field + return None + + +def parse_duration(spec: str) -> timedelta: + s = spec.strip().lower() + total = 0 + for val, unit in re.findall(r"(\d+)\s*([dhms]?)", s): + v = int(val) + u = unit or "m" + if u == "d": total += v * 86400 + elif u == "h": total += v * 3600 + elif u == "m": total += v * 60 + elif u == "s": total += v + if total == 0: + raise ValueError(f"Cannot parse duration: {spec!r}") + return timedelta(seconds=total) + + +def time_range(events: List[Dict[str, Any]], field: str) -> Tuple[Optional[datetime], Optional[datetime]]: + times = [] + for ev in events: + raw = ev.get(field) + if isinstance(raw, str): + dt = _parse_timestamp(raw) + if dt: + times.append(dt) + return (min(times), max(times)) if times else (None, None) + + +def rebase( + events: List[Dict[str, Any]], + field: str, + anchor: datetime, + compress_window: timedelta, + global_min: Optional[datetime] = None, + global_max: Optional[datetime] = None, +) -> int: + first_dt, last_dt = time_range(events, field) + if first_dt is None: + return 0 + + range_min = global_min or first_dt + range_max = global_max or last_dt + span = (range_max - range_min).total_seconds() + + updated = 0 + for ev in events: + raw = ev.get(field) + if not isinstance(raw, str): + continue + original_dt = _parse_timestamp(raw) + if original_dt is None: + continue + + if span > 0: + frac = max(0.0, min(1.0, (original_dt - range_min).total_seconds() / span)) + new_dt = (anchor - compress_window) + timedelta(seconds=frac * compress_window.total_seconds()) + else: + new_dt = anchor + + new_iso = new_dt.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z" + ev.setdefault("_original_time", raw) + ev[field] = new_iso + ev["_time"] = new_iso + ev["_insert_time"] = new_iso + + for fld in _REBASE_FIELDS: + if fld == field or fld not in ev: + continue + other_raw = ev[fld] + if not isinstance(other_raw, str): + continue + other_dt = _parse_timestamp(other_raw) + if other_dt is None: + continue + if span > 0: + frac2 = max(0.0, min(1.0, (other_dt - range_min).total_seconds() / span)) + new_other = (anchor - compress_window) + timedelta(seconds=frac2 * compress_window.total_seconds()) + else: + new_other = anchor + ev[fld] = new_other.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z" + + updated += 1 + return updated + + +# ── Normalization — identical logic to replay_scenario.py ──────────────────── + +def normalize_events(events: List[Dict[str, Any]], source_name: str) -> List[Dict[str, Any]]: + run_id = uuid.uuid4().hex[:8] + src = source_name.lower() + + for ev in events: + # Proofpoint TAP: normalize recipient list, rotate GUID/id + if "proofpoint" in src or "tap" in src: + recipient = ev.get("recipient") + if isinstance(recipient, list): + ev["recipient"] = recipient[0] if recipient else "" + elif isinstance(recipient, str): + stripped = recipient.strip() + if stripped.startswith("["): + try: + parsed = json.loads(stripped) + ev["recipient"] = parsed[0] if parsed else "" + except Exception: + pass + for guid_field in ("GUID", "id"): + val = ev.get(guid_field, "") + if val: + ev[guid_field] = f"{val}-{run_id}" + + # CrowdStrike: reconstruct UPN, rotate composite_id + if "crowdstrike" in src or "falcon" in src: + user_name = ev.get("user_name", "") + if (isinstance(user_name, str) and user_name + and "@" not in user_name + and not user_name.endswith("$") + and user_name.upper() != "SYSTEM"): + device = ev.get("device", {}) + domain = "" + if isinstance(device, dict): + domain = device.get("machine_domain", "") or device.get("domain", "") + if not domain: + domain = ev.get("domain", "") + if not domain: + up = ev.get("user_principal", "") + if up and "@" in up: + domain = up.split("@")[1] + if domain: + ev["user_name"] = f"{user_name}@{domain.upper()}" + val = ev.get("composite_id", "") + if val: + ev["composite_id"] = f"{val}-{run_id}" + + # Microsoft Defender: rotate providerAlertId/id + if "defender" in src or "microsoft" in src or "mde" in src: + for id_field in ("providerAlertId", "id"): + val = ev.get(id_field, "") + if val: + ev[id_field] = f"{val}-{run_id}" + + return events + + +# ── List loading — scripts have executeCommand ──────────────────────────────── + +def load_list(list_name: str) -> List[Dict[str, Any]]: + res = demisto.executeCommand("getList", {"listName": list_name}) + if isError(res): + raise ValueError( + f"List '{list_name}' not found or could not be read. " + f"Check the list name matches exactly. Error: {get_error(res)}" + ) + content = res[0].get("Contents", "") + if not content or content == "Item not found (8)": + raise ValueError( + f"List '{list_name}' does not exist. " + f"Verify the list is installed and the name is correct." + ) + if isinstance(content, list): + return content + if isinstance(content, str): + return json.loads(content) + raise ValueError(f"Unexpected list content type: {type(content)}") + + +# ── Main ────────────────────────────────────────────────────────────────────── + +def main(): + args = demisto.args() + + list_name = args.get("list_name", "") + instance_name = args.get("instance_name", "") + source_name = args.get("source_name", "") + compress_str = args.get("compress_window", "2h") + global_min_str = args.get("global_min", "") + global_max_str = args.get("global_max", "") + + if not list_name: + return_error("list_name is required.") + if not instance_name: + return_error("instance_name is required (e.g. socfw_pov_crowdstrike_sender).") + if not source_name: + return_error("source_name is required (e.g. crowdstrike or proofpoint).") + + try: + compress_window = parse_duration(compress_str) + + global_min: Optional[datetime] = _parse_timestamp(global_min_str) if global_min_str else None + global_max: Optional[datetime] = _parse_timestamp(global_max_str) if global_max_str else None + + # Load from list (executeCommand available in scripts) + events = load_list(list_name) + if not events: + return_results(f"List '{list_name}' contains no events — nothing sent.") + return + + # Normalize and rebase + events = normalize_events(events, source_name) + time_field = detect_time_field(events) or "_time" + anchor = datetime.now(timezone.utc) + rebased = rebase(events, time_field, anchor, compress_window, + global_min=global_min, global_max=global_max) + + # Batch the executeCommand calls — CrowdStrike events are ~18KB each, + # 138 events = 2.3MB which exceeds the executeCommand argument size limit. + # Send in batches of 5 events (~100KB per call) to stay well under the limit. + _BATCH_SIZE = 5 + total = len(events) + sent = 0 + + for i in range(0, total, _BATCH_SIZE): + batch = events[i:i + _BATCH_SIZE] + execute_args = {"JSON": json.dumps(batch)} + if instance_name: + execute_args["using"] = instance_name + + result = demisto.executeCommand("socfw-pov-send-data", execute_args) + + failed = isError(result) + if not failed and result: + entry = result[0] if isinstance(result, list) else result + contents = entry.get("Contents", "") if isinstance(entry, dict) else "" + if "Unsupported Command" in str(contents): + return_error( + f"SOCFWPoVSender failed — check instance name '{instance_name}' " + f"is correct and the integration is enabled. Detail: {contents}" + ) + if failed: + return_error(f"SOCFWPoVSender failed on batch {i // _BATCH_SIZE + 1}: {get_error(result)}") + + sent += len(batch) + demisto.debug(f"SOCFWPoVSend: batch {i // _BATCH_SIZE + 1} — {sent}/{total} events sent") + + summary = ( + f"**SOCFWPoVSend** — complete\n\n" + f"| Field | Value |\n|---|---|\n" + f"| List | `{list_name}` |\n" + f"| Source | `{source_name}` |\n" + f"| Instance | `{instance_name}` |\n" + f"| Events sent | {len(events)} |\n" + f"| Timestamps rebased | {rebased} |\n" + f"| Compress window | {compress_str} |\n" + f"| Anchor | {anchor.strftime('%Y-%m-%dT%H:%M:%SZ')} |\n" + f"| Global min | {global_min_str or 'auto'} |\n" + f"| Global max | {global_max_str or 'auto'} |" + ) + return_results(summary) + + except Exception as e: + return_error(f"SOCFWPoVSend error: {str(e)}") + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.yml b/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.yml new file mode 100644 index 0000000..9a0dd62 --- /dev/null +++ b/Packs/soc-framework-pov-test/Scripts/SOCFWPoVSend/SOCFWPoVSend.yml @@ -0,0 +1,65 @@ +adopted: true +commonfields: + id: SOCFWPoVSend + version: -1 +name: SOCFWPoVSend +type: python +subtype: python3 +dockerimage: demisto/python3:3.10.14.100715 +enabled: true +tags: + - SOCFramework + - PoV +comment: |- + Reads a PoV scenario data list, rebases timestamps to now with window + compression, normalizes source-specific fields, rotates suppression IDs, + then calls the SOCFWPoVSender integration to POST events to the configured + HTTP Collector endpoint. + + Run from any case war room or the playground: + !SOCFWPoVSend list_name=SOCFWPoVData_CrowdStrike_TurlaCarbon_V1 + instance_name=socfw_pov_crowdstrike_sender + source_name=crowdstrike + global_min=2025-12-02T13:00:00Z + global_max=2025-12-04T12:01:07Z + + Part of soc-framework-pov-test pack. Do not use on production tenants. +args: + - name: list_name + required: true + description: Name of the XSIAM list containing scenario event data as a JSON array. + supportedModules: [] + - name: instance_name + required: true + description: |- + SOCFWPoVSender integration instance to use for sending. + e.g. socfw_pov_crowdstrike_sender or socfw_pov_tap_sender + supportedModules: [] + - name: source_name + required: true + description: |- + Source type for normalization routing. + Supported: crowdstrike, proofpoint, defender. + supportedModules: [] + - name: compress_window + required: false + description: Compress original event timeline into this window. Default 2h. + defaultValue: "2h" + supportedModules: [] + - name: global_min + required: false + description: |- + ISO timestamp of the earliest event across ALL sources in this scenario. + Required for multi-source time alignment. + Turla Carbon: 2025-12-02T13:00:00Z + supportedModules: [] + - name: global_max + required: false + description: |- + ISO timestamp of the latest event across ALL sources in this scenario. + Required for multi-source time alignment. + Turla Carbon: 2025-12-04T12:01:07Z + supportedModules: [] +outputs: [] +fromversion: 6.10.0 +script: '' diff --git a/Packs/soc-framework-pov-test/pack_metadata.json b/Packs/soc-framework-pov-test/pack_metadata.json new file mode 100644 index 0000000..b49d335 --- /dev/null +++ b/Packs/soc-framework-pov-test/pack_metadata.json @@ -0,0 +1,22 @@ +{ + "name": "SOC Framework PoV Test", + "id": "soc-framework-pov-test", + "description": "PoV scenario replay pack for SOC Framework demonstrations. Provides the SOCFWPoVSender integration for sending attack scenario event data to XSIAM via HTTP Collector, pre-built scenario data lists for the Turla Carbon attack chain (CrowdStrike + Proofpoint TAP), and a teardown reminder JOB. Install on PoV and dev tenants only. Uninstall before PS handoff.", + "version": "1.0.0", + "author": "Palo Alto Networks", + "url": "https://github.com/Palo-Cortex/secops-framework", + "support": "xsoar", + "currentVersion": "1.0.0", + "tags": [ + "SOCFramework", + "PoV", + "Testing" + ], + "categories": [ + "Utilities" + ], + "useCases": [], + "keywords": [], + "system": true, + "marketplaces": ["marketplacev2"] +} diff --git a/Packs/soc-framework-pov-test/xsoar_config.json b/Packs/soc-framework-pov-test/xsoar_config.json new file mode 100644 index 0000000..570de90 --- /dev/null +++ b/Packs/soc-framework-pov-test/xsoar_config.json @@ -0,0 +1,269 @@ +{ + "post_config_docs": [ + { + "name": "SOC Framework PoV Test - Post Config", + "url": "https://github.com/Palo-Cortex/secops-framework/blob/main/Packs/soc-framework-pov-test/POST_CONFIG_README.md" + } + ], + "custom_packs": [ + { + "id": "soc-framework-pov-test.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-pov-test-v1.0.0/soc-framework-pov-test-v1.0.0.zip", + "system": "yes" + } + ], + "integration_instances": [ + { + "version": 1, + "propagationLabels": ["all"], + "isOverridable": false, + "enabled": "true", + "name": "socfw_pov_crowdstrike_sender", + "brand": "SOCFWPoVSender", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "display": "HTTP Collector URL", + "displayPassword": "", + "name": "url", + "defaultValue": "", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "HTTP Collector endpoint URL for crowdstrike_falcon_event_raw. Found in Settings → Data Sources → [collector] → Connection Details.", + "hasvalue": false, + "value": "" + }, + { + "display": "API Key", + "displayPassword": "API Key", + "name": "api_key", + "defaultValue": "", + "type": 4, + "required": true, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "HTTP Collector API key.", + "hasvalue": false, + "value": "" + }, + { + "display": "Source Name", + "displayPassword": "", + "name": "source_name", + "defaultValue": "crowdstrike", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "crowdstrike — drives normalization routing.", + "hasvalue": true, + "value": "crowdstrike" + }, + { + "display": "Default Compress Window", + "displayPassword": "", + "name": "compress_window", + "defaultValue": "2h", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Timeline compression window. Default: 2h.", + "hasvalue": true, + "value": "2h" + } + ], + "passwordProtected": false + }, + { + "version": 1, + "propagationLabels": ["all"], + "isOverridable": false, + "enabled": "true", + "name": "socfw_pov_tap_sender", + "brand": "SOCFWPoVSender", + "category": "Utilities", + "engine": "", + "engineGroup": "", + "isIntegrationScript": true, + "mappingId": "", + "outgoingMapperId": "", + "incomingMapperId": "", + "canSample": false, + "defaultIgnore": false, + "integrationLogLevel": "", + "configuration": { + "id": "", + "version": 0, + "cacheVersn": 0, + "modified": "0001-01-01T00:00:00Z", + "sizeInBytes": 0, + "packID": "", + "packName": "", + "itemVersion": "", + "fromServerVersion": "", + "toServerVersion": "", + "definitionId": "", + "isOverridable": false, + "vcShouldIgnore": false, + "vcShouldKeepItemLegacyProdMachine": false, + "commitMessage": "", + "shouldCommit": false, + "name": "", + "prevName": "", + "display": "", + "brand": "", + "category": "", + "icon": "", + "description": "", + "configuration": null, + "integrationScript": null, + "hidden": false, + "canGetSamples": false + }, + "data": [ + { + "display": "HTTP Collector URL", + "displayPassword": "", + "name": "url", + "defaultValue": "", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "HTTP Collector endpoint URL for proofpoint_tap_v2_generic_alert_raw.", + "hasvalue": false, + "value": "" + }, + { + "display": "API Key", + "displayPassword": "API Key", + "name": "api_key", + "defaultValue": "", + "type": 4, + "required": true, + "hidden": false, + "hiddenUsername": true, + "hiddenPassword": false, + "options": null, + "info": "HTTP Collector API key.", + "hasvalue": false, + "value": "" + }, + { + "display": "Source Name", + "displayPassword": "", + "name": "source_name", + "defaultValue": "proofpoint", + "type": 0, + "required": true, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "proofpoint — drives normalization routing.", + "hasvalue": true, + "value": "proofpoint" + }, + { + "display": "Default Compress Window", + "displayPassword": "", + "name": "compress_window", + "defaultValue": "2h", + "type": 0, + "required": false, + "hidden": false, + "hiddenUsername": false, + "hiddenPassword": false, + "options": null, + "info": "Timeline compression window. Default: 2h.", + "hasvalue": true, + "value": "2h" + } + ], + "passwordProtected": false + } + ], + "jobs": [ + { + "CustomFields": null, + "type": "##default##", + "name": "POV Teardown Reminder V1", + "severity": 0, + "labels": null, + "details": "Fires on the PoV end date and creates a High severity case with the uninstall checklist. Set the schedule date after installing the pack.", + "owner": "", + "playbookId": "JOB - POV Teardown Reminder V1", + "phase": "", + "startDate": "2025-01-01T00:00:00.000Z", + "endingType": "never", + "times": 1, + "recurrent": false, + "endingDate": "2025-01-01T00:00:00.000Z", + "humanCron": { + "days": ["SUN","MON","TUE","WED","THU","FRI","SAT"], + "timePeriodType": "minutes", + "timePeriod": 60 + }, + "cronView": false, + "scheduled": false, + "tags": null, + "shouldTriggerNew": true, + "closePrevRun": false, + "notifyOwner": false, + "isFeed": false, + "selectedFeeds": null, + "isAllFeeds": false + } + ] +} diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index ac25bbb..6c7bb84 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -13,7 +13,7 @@ }, { "id": "soc-framework-nist-ir.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.5.2/soc-framework-nist-ir-v1.5.2.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.5.3/soc-framework-nist-ir-v1.5.3.zip", "system": "yes" }, {