Stormshield SES
Overview
Stormshield SES is a comprehensive cybersecurity solution designed to protect individual devices, such as computers and servers, from various cyber threats and attacks. It encompasses advanced features like antivirus, firewall, intrusion detection and prevention, application control, and data encryption. This solution aims to safeguard endpoints from malware, ransomware, phishing, and other malicious activities, while providing centralized management and real-time threat visibility for enhanced security posture.
- Vendor: Stormshield
- Plan: Defend Core & Defend Prime
- Supported environment: On prem
- Version Compatibility: 7,0
- Detection based on: Telemetry
Configure
This section will guide you to forward Stormshield SES logs to SEKOIA.IO
Create the intake
Go to the intake page and create a new intake from the format Stormshield Endpoint Security.
Configure the Agent handler
- Log on out Stormshield SES console
- Go to
Backoffice > Agent handlers
- Select an Agent handler group or create a new one
- On the Agent handler group, in the
Syslog servers
, click+ Add a server
-
In the syslog server configuration:
-
Set the address of the syslog destination to
intake.sekoia.io
- Select
TCP/TLS
as the protocol - Define the syslog destination port to 10514
- Select
Raw Json
as message Content - Select
Non-Transparent-Framing
as transfert-type - In the
Structured data
input, add[SEKOIA@53288 intake_key="<YOUR_INTAKE_KEY>"]
with our intake key as replacement of the placeholder - Save the configuration
Troubleshooting
The SES Agent handler cannot authenticate the Sekoia.io syslog endpoint
The Sekoia.io syslog endpoint is secured with a Letsencrypt certificate.
According to our SES Agent handler installation, it may be necessary to install ISRG ROOT X1
certificate in our trusted root certification authorities certificate store:
On the SES Agent handler machines:
- Download the
ISRG ROOT X1
certificate: https://letsencrypt.org/certs/isrgrootx1.pem - Rename the downloaded certificate by suffixing it with the extension
.crt
- Import the certificate in the trusted root certification authorities certificate store of the machine
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"Version": 1,
"Type": 1000,
"TypeComputedMap": "LostBuffers",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0E997D-0D6B-40A9-81F1-7C21E9B8AAD3}",
"Timestamp": "2023-06-15T06:30:00.0000000+01:00",
"TimestampRaw": 133232454000000000,
"GenerateIncident": false,
"SpecificData": {
"LostBuffersCount": 35
}
}
{
"Version": 1,
"Type": 1001,
"TypeComputedMap": "RulesEngCriticalError",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD054D09-4231-4A21-8BA1-440AEBAC0CC9}",
"Timestamp": "2023-06-15T06:40:00.0000000+01:00",
"TimestampRaw": 133232460000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 1002,
"TypeComputedMap": "RulesEngIdentifierCollectionError",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD060B75-CD2D-4F29-9E23-8F45C47772BA}",
"Timestamp": "2023-06-15T06:50:00.0000000+01:00",
"TimestampRaw": 133232466000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 1003,
"TypeComputedMap": "RulesEngRulesPackageError",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0969EB-BA6D-481A-B96D-730EC18FE560}",
"Timestamp": "2023-06-15T07:00:00.0000000+01:00",
"TimestampRaw": 133232472000000000,
"GenerateIncident": false,
"SpecificData": {
"RulesPackageKeyPath": "HKLM\\TestPath\\Here"
}
}
{
"Version": 1,
"Type": 1004,
"TypeComputedMap": "RulesEngInvalidParameter",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD075EE1-778C-4E3E-81E5-A565E4A4FF68}",
"Timestamp": "2023-06-15T07:10:00.0000000+01:00",
"TimestampRaw": 133232478000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 1006,
"TypeComputedMap": "TemporaryWebAccessStart",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD07FF6B-417C-4249-B1D6-259FEDD9CFF2}",
"Timestamp": "2023-06-15T07:20:00.0000000+01:00",
"TimestampRaw": 133232484000000000,
"GenerateIncident": false,
"SpecificData": {
"Duration": 50000,
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 1007,
"TypeComputedMap": "TemporaryWebAccessStartFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD04C4F9-0196-441F-A772-F54FC0793D41}",
"Timestamp": "2023-06-15T07:30:00.0000000+01:00",
"TimestampRaw": 133232490000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5,
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 1008,
"TypeComputedMap": "TemporaryWebAccessStop",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0E045B-4A76-4297-9269-D7DDE4C631FD}",
"Timestamp": "2023-06-15T07:40:00.0000000+01:00",
"TimestampRaw": 133232496000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": null,
"UserDomainLookup": null,
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 1009,
"TypeComputedMap": "TemporaryWebAccessStopFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD02A68E-3F78-438B-B64B-79112040192E}",
"Timestamp": "2023-06-15T07:50:00.0000000+01:00",
"TimestampRaw": 133232502000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5,
"UserNameLookup": null,
"UserDomainLookup": null,
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 1010,
"TypeComputedMap": "AgentInternalLogExceedMaxSize",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F16E5-852C-4686-9979-AA5A859D50F2}",
"Timestamp": "2023-06-15T08:00:00.0000000+01:00",
"TimestampRaw": 133232508000000000,
"GenerateIncident": false,
"SpecificData": {
"FaultyLogType": 1010,
"FaultyLogTypeComputedMap": null
}
}
{
"Version": 1,
"Type": 1011,
"TypeComputedMap": "TemporaryWebAccessMaxCountReached",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09731F-F853-4815-9DE3-C4B6991F689E}",
"Timestamp": "2023-06-15T08:10:00.0000000+01:00",
"TimestampRaw": 133232514000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 103,
"TypeComputedMap": "RegistryKeyCreate",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD042F09-DB50-4EDB-8370-DB9A3C37A5EF}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T05:23:57.0238678+02:00",
"TimestampRaw": 133311362370238678,
"SpecificData": {
"SourceProcess": {
"PID": 1832,
"ProcessGuid": "{E38CB57F-32F0-4AB4-9581-8CDD6B0E95B1}",
"ProcessImageName": "C:\\Windows\\System32\\svchost.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\WINDOWS\\system32\\svchost.exe-knetsvcs-p-swlidsvc",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-16384",
"IntegrityLevelNameLookup": "Niveauobligatoiresyst\u00e8me",
"IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
"SessionID": 0,
"HashMd5": "B7F884C1B74A263F746EE12A5F7C9F6A",
"HashSha1": "1BC5066DDF693FC034D6514618854E26A84FD0D1",
"HashSha256": "ADD683A6910ABBBF0E28B557FAD0BA998166394932AE2ACA069D9AA19EA8FE88",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindowsPublisher",
"SigningTime": "2022-06-18T08:21:06.9540000+02:00",
"ValidityStart": "2022-01-27T21:31:19.0000000+02:00",
"ValidityEnd": "2023-01-26T21:31:19.0000000+02:00"
}
],
"ProcessStartTime": "2023-06-13T15:17:42.8190445+02:00",
"ProcessStartTimeRaw": 133311358628190445
},
"Action": {
"PolicyGuid": "{621F7A4B-040E-42C2-9B4F-173BA48E067B}",
"PolicyVersion": 2,
"RuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}",
"BaseRuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Details": {
"Options": 1,
"OptionsComputedBitMap": [
"REG_OPTION_VOLATILE"
],
"DesiredAccess": 131103,
"DesiredAccessComputedBitMap": [
"KEY_QUERY_VALUE",
"KEY_SET_VALUE",
"KEY_CREATE_SUB_KEY",
"KEY_ENUMERATE_SUB_KEYS",
"KEY_NOTIFY",
"READ_CONTROL"
]
},
"DetailsType": 0,
"DetailsTypeComputedMap": "REGISTRY_KEY_CREATE",
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IdentityCRL\\ThrottleCache\\S-1-5-18_{67082621-8D18-4333-9C64-10DE93676363}"
}
}
{
"Version": 1,
"Type": 104,
"TypeComputedMap": "RegistryKeyRead",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0B285F-2E43-4390-823C-73CB7736D0AA}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T05:34:00.8441322+02:00",
"TimestampRaw": 133311368408441322,
"SpecificData": {
"SourceProcess": {
"PID": 6704,
"ProcessGuid": "{0E6042A8-0DC3-47A6-9FB4-8936B396C1AC}",
"ProcessImageName": "C:\\Windows\\explorer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\WINDOWS\\Explorer.EXE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
"IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
"SessionID": 2,
"HashMd5": "790E65F13ECEB64FE297DF08EB1C953A",
"HashSha1": "5F04BC4911EEBA35EC294B111C57D90808A4C4BD",
"HashSha256": "B6F176E86DED71B8494FAD53791367C870318B1E7D9C3E1AEE1B0DAC6CFAC237",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-05-09T10:18:43.9710000+02:00",
"ValidityStart": "2023-02-03T02:05:42.0000000+02:00",
"ValidityEnd": "2024-02-01T02:05:42.0000000+02:00"
}
],
"ProcessStartTime": "2023-06-13T15:32:52.0646809+02:00",
"ProcessStartTimeRaw": 133311367720646809
},
"Action": {
"PolicyGuid": "{621F7A4B-040E-42C2-9B4F-173BA48E067B}",
"PolicyVersion": 4,
"RuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAAA}",
"BaseRuleGuid": "{E63B82C5-EC6B-4FBA-B854-94D81A98EAA9}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\TimeZones",
"InformationClass": 0,
"InformationClassComputedMap": "KeyBasicInformation"
}
}
{
"Version": 1,
"Type": 104,
"TypeComputedMap": "RegistryKeyRead",
"Severity": 2,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{4C8EFA24-0021-49CA-B9F7-CF5A7BF57173}",
"GenerateIncident": true,
"Timestamp": "2024-07-09T12:08:54.9660242+02:00",
"TimestampRaw": 133649933349660242,
"SpecificData": {
"SourceProcess": {
"PID": 3948,
"ProcessGuid": "{93158E40-E93F-46CE-BCE0-3FC359B07B75}",
"ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-16384",
"IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me",
"IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire",
"SessionID": 0,
"HashMd5": "4A4D6E95B693256BCD6E90FDC077194A",
"HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E",
"HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED",
"IsProtectedOrCritical": true,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Microsoft Windows Production PCA 2011",
"SubjectCN": "Microsoft Windows Publisher",
"SigningTime": "2024-05-11T03:15:15.5120000+02:00",
"ValidityStart": "2024-02-08T21:22:45.0000000+02:00",
"ValidityEnd": "2025-02-07T21:22:45.0000000+02:00"
}
],
"ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00",
"ProcessStartTimeRaw": 133649858344154623
},
"Action": {
"PolicyGuid": "{2042076D-A879-4913-A2C7-E94A9ECE8D79}",
"PolicyVersion": 14,
"RuleGuid": "{F676C8C4-D8FD-4ED2-89FB-C949EA33951C}",
"BaseRuleGuid": "{508448D3-1872-416D-99D9-A3F64AE24C48}",
"IdentifierGuid": "{6F1EAB4E-60E5-4DA2-8509-768988375E47}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false,
"RuleTags": [
"T1562.001"
]
},
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths",
"InformationClass": 4,
"InformationClassComputedMap": "KeyCachedInformation"
},
"AdditionalData": {
"AgentAddresses": [
"1.2.3.4"
],
"AgentGroupGuid": "{1B24AC36-5218-4F44-A374-80D86475E325}",
"AgentGroupName": "Demo",
"AgentGuid": "{6CA7D1BE-7359-426D-B5B1-D9E742DF69A6}",
"AgentName": "WIN10-A",
"AttackCVEId": null,
"AttackMitreTacticId": [
"TA0005"
],
"AttackMitreTacticName": [
"Defense Evasion"
],
"AttackMitreTechnicId": [
"T1562",
"T1562.001"
],
"AttackMitreTechnicName": [
"Impair Defenses",
"Disable or Modify Tools"
],
"AttackSESId": null,
"AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.",
"CategoryName": "Registry",
"IncidentGuid": "{CE926A32-4461-47C0-BDE8-43C1493E7DF0}",
"Message": "The 'MsMpEng.exe' process read the registry key 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\TemporaryPaths'",
"PolicyName": "Demo - Protect policy",
"SeverityName": "Critical"
}
}
{
"Version": 1,
"Type": 109,
"TypeComputedMap": "RegistryKeyWrite",
"Category": 1,
"CategoryComputedMap": "Registry",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0D1A3F-D034-4FE6-BE01-10DB9C0F6C4E}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:07:58.8191262+01:00",
"TimestampRaw": 133225888788191262,
"SpecificData": {
"SourceProcess": {
"PID": 1196,
"ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
"ProcessImageName": "C:\\Windows\\regedit.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "999A30979F6195BF562068639FFC4426",
"HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
"HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-18T02:58:33.2360000+01:00",
"ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
}
],
"ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
"ProcessStartTimeRaw": 133225886618793902
},
"Action": {
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersion": 3,
"RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
"BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": false
},
"Details": {
"Options": 0,
"OptionsComputedBitMap": [],
"DesiredAccess": 33554432,
"DesiredAccessComputedBitMap": [
"MAXIMUM_ALLOWED"
],
"SubkeyName": "NewKey#1"
},
"DetailsType": 0,
"DetailsTypeComputedMap": "REGISTRY_KEY_CREATE_SUBKEY",
"Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE"
}
}
{
"Version": 1,
"Type": 11,
"TypeComputedMap": "ProcessExecution",
"Category": 4,
"CategoryComputedMap": "Other",
"Severity": 2,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD066513-E7B5-4F79-AE62-0885C51EA629}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:08:53.7673622+01:00",
"TimestampRaw": 133209473337673622,
"SpecificData": {
"SourceProcess": {
"PID": 5496,
"ProcessGuid": "{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}",
"ProcessImageName": "C:\\Windows\\explorer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "DEEEE5E9267B65A9A82BE24BE2693365",
"HashSha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE",
"HashSha256": "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-06T12:01:50.2850000+01:00",
"ValidityStart": "2022-05-05T20:23:15.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:15.0000000+01:00"
}
],
"ProcessStartTime": "2023-02-15T11:35:02.4495876+01:00",
"ProcessStartTimeRaw": 133209309024495876
},
"Action": {
"PolicyGuid": "{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}",
"PolicyVersion": 3,
"RuleGuid": "{4DE7AEC5-BACF-46F8-9B78-2203A14D1562}",
"BaseRuleGuid": "{4DE7AEC5-BACF-46F8-9B78-2203A14D1561}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": false
},
"CreatedProcess": {
"PID": 5280,
"ProcessGuid": "{2E91C661-4ACA-4CDB-84D1-CCD98308B120}",
"ProcessImageName": "C:\\Windows\\System32\\notepad.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\Windows\\system32\\notepad.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "Test",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "27F71B12CB585541885A31BE22F61C83",
"HashSha1": "D05DEFE2C8EFEF10ED5F1361760FA0AE41FA79F5",
"HashSha256": "F9D9B9DED9A67AA3CFDBD5002F3B524B265C4086C188E1BE7C936AB25627BF01",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2022-07-21T02:36:42.3560000+01:00",
"ValidityStart": "2021-09-02T19:23:41.0000000+01:00",
"ValidityEnd": "2022-09-01T19:23:41.0000000+01:00"
}
],
"ProcessStartTime": "2023-02-15T16:08:53.7602140+01:00",
"ProcessStartTimeRaw": 133209473337602140
},
"ParentProcess": {
"PID": 5496,
"ProcessGuid": "{71D28FEC-F11C-4F18-AE90-441C0C7EDBE3}",
"ProcessImageName": "C:\\Windows\\explorer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "Test",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "DEEEE5E9267B65A9A82BE24BE2693365",
"HashSha1": "FC924E1BBEC021CB5685B05728618EB421AD3FBE",
"HashSha256": "0472C590414103F5F8FB9FB3D710ADC5DFD13539E48B4AAA55CC954203202C13",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-06T12:01:50.2850000+01:00",
"ValidityStart": "2022-05-05T20:23:15.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:15.0000000+01:00"
}
],
"ProcessStartTime": "2023-02-15T11:35:02.4495876+01:00",
"ProcessStartTimeRaw": 133209309024495876
}
}
}
{
"Version": 1,
"Type": 112,
"TypeComputedMap": "RegistryKeyDelete",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0DBC09-BED9-4335-B645-643B9CAB885C}",
"Timestamp": "2023-06-15T02:50:00.0000000+01:00",
"TimestampRaw": 133232322000000000,
"GenerateIncident": false,
"SpecificData": {
"Details": null,
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Test",
"SourceProcess": {
"PID": 8,
"ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "f0fbb584-bc08-41d1-93a2-a04f8fc65c32",
"ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"",
"HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB111",
"HashSha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6",
"HashSha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 5,
"Certificates": null,
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateUntrusted"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 113,
"TypeComputedMap": "RegistryValueCreate",
"Category": 1,
"CategoryComputedMap": "Registry",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD003007-3EE1-478E-9D07-A3772739A5E6}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:13:20.2600711+01:00",
"TimestampRaw": 133225892002600711,
"SpecificData": {
"SourceProcess": {
"PID": 1196,
"ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
"ProcessImageName": "C:\\Windows\\regedit.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "999A30979F6195BF562068639FFC4426",
"HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
"HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-18T02:58:33.2360000+01:00",
"ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
}
],
"ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
"ProcessStartTimeRaw": 133225886618793902
},
"Action": {
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersion": 4,
"RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
"BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE",
"ValueName": "Valeur_String",
"ValueDataType": 1,
"ValueDataTypeComputedMap": "REG_SZ",
"ValueData": ""
}
}
{
"Version": 1,
"Type": 113,
"TypeComputedMap": "RegistryValueCreate",
"Severity": 5,
"ServerReserved": 9,
"Attributes": 8,
"AttributesComputedBitMap": [
"Audit"
],
"EventGuid": "{E8B35E85-838F-44E5-B7AB-7635E9C81ECB}",
"GenerateIncident": false,
"Timestamp": "2024-03-22T12:39:27.6422102+01:00",
"TimestampRaw": 133555811676422102,
"SpecificData": {
"SourceProcess": {
"PID": 1196,
"ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
"ProcessImageName": "C:\\Windows\\regedit.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operatingsystem"
],
"ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "999A30979F6195BF562068639FFC4426",
"HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
"HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-18T02:58:33.2360000+01:00",
"ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
}
],
"ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
"ProcessStartTimeRaw": 133225886618793902
},
"Action": {
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersion": 4,
"RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
"BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Path": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements\\25000004",
"ValueName": "Element",
"ValueDataType": 3,
"ValueDataTypeComputedMap": "REG_BINARY",
"ValueData": [
0,
0,
0,
0,
0,
0,
0,
0
]
},
"AdditionalData": {
"AgentAddresses": [],
"AgentGroupGuid": "{61B578F4-289D-4B97-A331-DDDCB80C6427}",
"AgentGroupName": "Desktop",
"AgentGuid": "{6EF8564D-941A-4377-80FD-78CD3DFEB269}",
"AgentName": "DST-001",
"CategoryName": "Registry",
"IncidentGuid": null,
"Message": "The'svchost.exe'processcreatedtheregistryvalue'Element'",
"PolicyName": "Stormshield-Mediumpolicy-External",
"SeverityName": "Notice"
}
}
{
"Version": 1,
"Type": 114,
"TypeComputedMap": "RegistryValueRead",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F267B-2FBB-4457-99C1-AC4663C7FC93}",
"Timestamp": "2023-06-15T03:10:00.0000000+01:00",
"TimestampRaw": 133232334000000000,
"GenerateIncident": false,
"SpecificData": {
"ValueName": "Value2",
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
"SourceProcess": {
"PID": 1,
"ProcessImageName": "C:\\Windows\\explorer.exe",
"UserSID": null,
"SessionID": 2,
"ProcessGuid": "92c246ec-0acd-11ea-a38a-00155d099004",
"ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
"HashMd5": "4E196CEA0C9C46A7D656C67E52E8C7C7",
"HashSha1": "726C9D759C5F02080FA003B50466A3BE0C959865",
"HashSha256": "ED5F36137D09E1CFC0CCF2675FB5D460E7EED135BA36D3259D2C510592047F28",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 1,
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Microsoft Windows Production PCA 2011",
"SigningTime": "2019-10-20T14:09:02.8886192+01:00",
"ValidityEnd": "2020-05-02T22:24:36.0705280+01:00",
"ValidityStart": "2019-05-02T22:24:36.7807872+01:00",
"SubjectCN": "Microsoft Windows"
}
],
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateTrusted"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
}
}
}
{
"Version": 1,
"Type": 114,
"TypeComputedMap": "RegistryValueRead",
"Severity": 2,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{002A9967-5EF2-40CF-911D-7DBA518843A9}",
"GenerateIncident": true,
"Timestamp": "2024-07-09T12:33:11.2491955+02:00",
"TimestampRaw": 133649947912491955,
"SpecificData": {
"SourceProcess": {
"PID": 3948,
"ProcessGuid": "{9BC994D7-904B-4C9C-8DC0-A03A36F36276}",
"ProcessImageName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24050.7-0\\MsMpEng.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-16384",
"IntegrityLevelNameLookup": "Niveau obligatoire syst\u00e8me",
"IntegrityLevelDomainLookup": "\u00c9tiquette obligatoire",
"SessionID": 0,
"HashMd5": "4A4D6E95B693256BCD6E90FDC077194A",
"HashSha1": "2E52FBE255C0CB6C6B27EEE8C28ACAFAA42DB60E",
"HashSha256": "08D69BDE42AEEA0F0ECBF16A84BF74AF47C0EA6C0ADA6DDBD40CDC7F5C2930ED",
"IsProtectedOrCritical": true,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Microsoft Windows Production PCA 2011",
"SubjectCN": "Microsoft Windows Publisher",
"SigningTime": "2024-05-11T03:15:15.5120000+02:00",
"ValidityStart": "2024-02-08T21:22:45.0000000+02:00",
"ValidityEnd": "2025-02-07T21:22:45.0000000+02:00"
}
],
"ProcessStartTime": "2024-07-09T10:03:54.4154623+02:00",
"ProcessStartTimeRaw": 133649858344154623
},
"Action": {
"PolicyGuid": "{DDAB1006-337F-4B8C-8486-E5A9619144BB}",
"PolicyVersion": 14,
"RuleGuid": "{4FAC2120-288B-4B3C-9F77-2E5B6ECBB85E}",
"BaseRuleGuid": "{49A8528E-E749-4A9D-8736-2CF9380DE241}",
"IdentifierGuid": "{0B7EF8C7-FAE0-4890-981A-22FE12F22173}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false,
"RuleTags": [
"T1562.001"
]
},
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes",
"ValueName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe"
},
"AdditionalData": {
"AgentAddresses": [
"1.2.3.4"
],
"AgentGroupGuid": "{8AD24A5D-0B19-45E2-9B28-F584F8A54CBC}",
"AgentGroupName": "Demo",
"AgentGuid": "{CC0772D7-8EBC-4EE6-9FC0-A8B26F5FA7FF}",
"AgentName": "WIN10-A",
"AttackCVEId": null,
"AttackMitreTacticId": [
"TA0005"
],
"AttackMitreTacticName": [
"Defense Evasion"
],
"AttackMitreTechnicId": [
"T1562",
"T1562.001"
],
"AttackMitreTechnicName": [
"Impair Defenses",
"Disable or Modify Tools"
],
"AttackSESId": null,
"AttackTriggerCondition": "An untrusted process attempts to add bypass into Windows Defender.",
"CategoryName": "Registry",
"IncidentGuid": "{DA0FA4D3-76B8-4EE0-A8B7-5AFDF9F80071}",
"Message": "The 'MsMpEng.exe' process read the registry value 'C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsInject.exe'",
"PolicyName": "Demo - Protect policy",
"SeverityName": "Critical"
}
}
{
"Version": 1,
"Type": 115,
"TypeComputedMap": "RegistryValueWrite",
"Category": 1,
"CategoryComputedMap": "Registry",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09D00C-D632-4FB1-9606-AD80E2AB9AF5}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:13:26.1106189+01:00",
"TimestampRaw": 133225892061106189,
"SpecificData": {
"SourceProcess": {
"PID": 1196,
"ProcessGuid": "{B0E2F52D-8C18-4DF8-8E73-470BB4E5D373}",
"ProcessImageName": "C:\\Windows\\regedit.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\WINDOWS\\regedit.exe\"",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "999A30979F6195BF562068639FFC4426",
"HashSha1": "D4F2663AABC03478975382B3C69F24B3C6BD2AA9",
"HashSha256": "92F24FED2BA2927173AAD58981F6E0643C6B89815B117E8A7C4A0988AC918170",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-18T02:58:33.2360000+01:00",
"ValidityStart": "2022-05-05T20:23:14.0000000+01:00",
"ValidityEnd": "2023-05-04T20:23:14.0000000+01:00"
}
],
"ProcessStartTime": "2023-03-06T16:04:21.8793902+01:00",
"ProcessStartTimeRaw": 133225886618793902
},
"Action": {
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersion": 4,
"RuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0C0}",
"BaseRuleGuid": "{4CEEDD7A-875D-4C7E-9ABD-A710BD3DD0BF}",
"IdentifierGuid": "{5C079068-7641-4C9A-8600-BBDC93FBBCDD}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Path": "HKEY_CURRENT_USER\\SOFTWARE\\TEST_ADE",
"ValueName": "Valeur_String",
"ValueDataType": 1,
"ValueDataTypeComputedMap": "REG_SZ",
"ValueData": "lala"
}
}
{
"Version": 1,
"Type": 116,
"TypeComputedMap": "RegistryValueDelete",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0503D8-60D7-4B07-B649-6F70DE5A1125}",
"Timestamp": "2023-06-15T03:30:00.0000000+01:00",
"TimestampRaw": 133232346000000000,
"GenerateIncident": false,
"SpecificData": {
"ValueName": "Value2",
"Path": "HKEY_LOCAL_MACHINE\\SOFTWARE",
"SourceProcess": {
"PID": 6,
"ProcessImageName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "bed63e83-0f85-11ea-a38e-00155d099004",
"ProcessCommandLine": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsScript.exe\"",
"HashMd5": "0470A1A62B3FAA0AF44D9AFD9FAFB111",
"HashSha1": "0C9F34399C7C5A9372EFE0F6E6F33DA4116016C6",
"HashSha256": "2347766F6B5AD11E5C97167B5A452374EFF876136FC7B44F79BE14AD9A7FA3E7",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 8,
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Stormshield",
"SigningTime": "2019-11-25T14:15:45.4765488+01:00",
"ValidityEnd": "2040-01-01T00:59:59.1248256+01:00",
"ValidityStart": "2017-04-25T15:21:15.7216000+01:00",
"SubjectCN": "Stormshield"
}
],
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateBadSignature"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 11,
"TypeComputedMap": "ProcessExecution",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{5024762E-73B4-40DC-823A-7B080C82C542}",
"GenerateIncident": true,
"Timestamp": "2024-02-01T08:10:33.7922326-08:00",
"TimestampRaw": 133512774337922326,
"SpecificData": {
"SourceProcess": {
"PID": 7248,
"ProcessGuid": "{90FC03BE-4FBF-4184-A304-6D4B00AA152B}",
"ProcessImageName": "C:\\ragnarlocker.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\ragnarlocker.exe\" ",
"User": "S-1-5-21-1111111111-22222222-3333333333-000",
"UserNameLookup": "Administrator",
"UserDomainLookup": "EXAMPLE",
"IntegrityLevel": "S-1-16-11111",
"IntegrityLevelNameLookup": "High Mandatory Level",
"IntegrityLevelDomainLookup": "Mandatory Label",
"SessionID": 1,
"HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
"HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
"HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 2,
"CertificateSignatureStateComputedMap": "SignatureStateNoSignature",
"Certificates": [],
"ProcessStartTime": "2024-02-01T08:10:33.5801449-08:00",
"ProcessStartTimeRaw": 133512774335801449
},
"Action": {
"PolicyGuid": "{64AA4553-15FC-4188-B4AD-A0BDCFB11ED9}",
"PolicyVersion": 14,
"RuleGuid": "{B88B8874-E8E3-4F42-92B8-61D364DB65B9}",
"BaseRuleGuid": "{0C4D019E-B7D5-4456-909A-C5F4152461AE}",
"IdentifierGuid": "{BC74B5FB-8880-4A74-8316-FE865F9EA75C}",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
},
"CreatedProcess": {
"PID": 11308,
"ProcessGuid": "{24F0AA75-BC26-4245-829E-97087BB07A47}",
"ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "cmd.exe /c vssadmin delete shadows /all /quiet",
"User": "S-1-5-21-1111111111-22222222-3333333333-000",
"UserNameLookup": "Administrator",
"UserDomainLookup": "EXAMPLE",
"IntegrityLevel": "S-1-16-11111",
"IntegrityLevelNameLookup": "High Mandatory Level",
"IntegrityLevelDomainLookup": "Mandatory Label",
"SessionID": 1,
"HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
"HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
"HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Microsoft Windows Production PCA 2011",
"SubjectCN": "Microsoft Windows",
"SigningTime": "2013-08-22T05:07:49.2400000-08:00",
"ValidityStart": "2013-06-17T13:43:38.0000000-08:00",
"ValidityEnd": "2014-09-17T13:43:38.0000000-08:00"
}
],
"ProcessStartTime": "2024-02-01T08:10:33.7833468-08:00",
"ProcessStartTimeRaw": 133512774337833468
},
"ParentProcess": {
"PID": 7248,
"ProcessGuid": "{D057290C-D86A-441B-B3CB-C6E54D42EBA5}",
"ProcessImageName": "C:\\ragnarlocker.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "\"C:\\ragnarlocker.exe\" ",
"User": "S-1-5-21-1111111111-22222222-3333333333-000",
"UserNameLookup": "Administrator",
"UserDomainLookup": "EXAMPLE",
"IntegrityLevel": "S-1-16-11111",
"IntegrityLevelNameLookup": "High Mandatory Level",
"IntegrityLevelDomainLookup": "Mandatory Label",
"SessionID": 1,
"HashMd5": "68B329DA9893E34099C7D8AD5CB9C940",
"HashSha1": "ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC",
"HashSha256": "01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 2,
"CertificateSignatureStateComputedMap": "SignatureStateNoSignature",
"Certificates": [],
"ProcessStartTime": "2024-02-01T08:10:33.5801449-08:00",
"ProcessStartTimeRaw": 133512774335801449
}
},
"AdditionalData": {
"AgentAddresses": [
"172.24.0.14"
],
"AgentGroupGuid": "{00000000-0000-0000-0000-000000000000}",
"AgentGroupName": "Default group",
"AgentGuid": "{074C7CCE-ACF4-4674-9650-4B63B569892F}",
"AgentName": "WINSERVER2012",
"CategoryName": "Process",
"IncidentGuid": "{12CA4135-575E-49DE-89AD-4CD35EE2EB3B}",
"Message": "The 'ragnarlocker.exe' process attempted to run the 'cmd.exe' process",
"PolicyName": "Stormshield - Incredible policy (1)",
"SeverityName": "Emergency"
}
}
{
"Version": 1,
"Type": 173,
"TypeComputedMap": "FileCreate",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0791A3-DF3A-49CB-922A-38C054779CBC}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:19:30.8012653+02:00",
"TimestampRaw": 133311395708012653,
"SpecificData": {
"SourceProcess": {
"PID": 4816,
"ProcessGuid": "{1A83B343-5C5C-4B0E-977A-B20CF86B43A8}",
"ProcessImageName": "C:\\Windows\\explorer.exe",
"VolumeZone": 3,
"VolumeZoneComputedBitMap": [
"Operating system",
"Computer Boot"
],
"ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 1,
"HashMd5": "81886624735B4F8F019E731A8A2E6E69",
"HashSha1": "A30E4111E183514DEF89D2BC31071231DEABC4DF",
"HashSha256": "385DBAD0269CAE83598D6706229324EB3CBDEF00E21A0682161477D762AAF2C1",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-04-15T11:56:31.9920000+02:00",
"ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
"ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
}
],
"ProcessStartTime": "2023-06-13T14:28:06.6858009+02:00",
"ProcessStartTimeRaw": 133311328866858009
},
"Action": {
"PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
"PolicyVersion": 6,
"RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
"BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
"IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"UsbDeviceInfo": {
"VendorId": 5118,
"ProductId": 25344,
"Class": 0,
"ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
"SubClass": 0,
"Protocol": 0,
"SerialNumber": "072117691198E329",
"VendorName": "",
"ProductName": "USBDISK3.0",
"Interfaces": [
{
"Class": 8,
"ClassComputedMap": "MassStorage",
"Subclass": 6,
"Protocol": 80
}
]
},
"UsbVolumeTrackingData": {
"EnrollFileState": 0,
"EnrollFileStateComputedMap": "Noenrollfile",
"FootprintFileState": 0,
"FootprintFileStateComputedMap": "Nofootprintfile",
"VendorId": 0,
"ProductId": 0,
"SerialNumberHashSha256": "0000000000000000000000000000000000000000000000000000000000000000",
"EnrollGuid": "{00000000-0000-0000-0000-000000000000}"
},
"AccessFromNetwork": {},
"Details": {
"SourcePath": "F:\\NewTextDocument.txt",
"Flags": 0,
"FlagsComputedBitMap": []
},
"DetailsType": 2,
"DetailsTypeComputedMap": "FILE_RENAME_DESTINATION",
"Path": "F:\\cxvbcxvbcxv.txt",
"MatchingPath": "",
"VolumeZone": 3,
"VolumeZoneComputedBitMap": [
"Operating system",
"Computer Boot"
],
"FileObjectType": 0,
"FileObjectTypeComputedMap": "FILE",
"FileOwner": "",
"FileOwnerNameLookup": "",
"FileOwnerDomainLookup": ""
}
}
{
"Version": 1,
"Type": 174,
"TypeComputedMap": "FileExecute",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F62D1-43CA-41DE-838D-B80498CB7369}",
"Timestamp": "2023-06-15T03:50:00.0000000+01:00",
"TimestampRaw": 133232358000000000,
"GenerateIncident": false,
"SpecificData": {
"AccessFromNetwork": {
"ShareName": "\\\\Something",
"AddressFamily": 2,
"AddressFamilyComputedMap": "IPv4",
"Address": "127.0.0.1",
"Port": 80
},
"UsbDeviceInfo": {
"VendorName": "SanDisk",
"VendorId": 1921,
"ProductName": "Ultra",
"ProductId": 21889,
"SerialNumber": "4C530001211017121370",
"Class": 1,
"SubClass": 220,
"Interfaces": [
{
"Class": 254,
"SubClass": 254
},
{
"Class": 88,
"SubClass": 13
},
{
"Class": 224,
"SubClass": 16
}
]
},
"UsbVolumeTrackingData": {
"EnrollFileState": 5,
"EnrollGuid": "6b8a636d-a508-442e-835f-0538392c904e",
"FootprintFileState": 0
},
"FileOwner": "S-1-5-21-2222222-33333333-44444444-555",
"FileObjectType": 1,
"FileObjectTypeComputedMap": "DIRECTORY",
"MatchingPath": "c:\\tmp\\file2.txt",
"VolumeZone": 1024,
"VolumeZoneComputedBitMap": [
"Remote Webdav"
],
"Details": null,
"FileOwnerNameLookup": "User1",
"FileOwnerDomainLookup": "sshield1",
"Path": "c:\\test\\toto.txt",
"SourceProcess": {
"PID": 9,
"ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "9d367a6c-04e4-491b-baa8-25b674db96d9",
"ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"",
"HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB221",
"HashSha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6",
"HashSha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 1,
"Certificates": null,
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateTrusted"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 175,
"TypeComputedMap": "FileRead",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0AA946-7DCE-4AB0-BA45-706B84C1F3FC}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T03:45:11.6239189+02:00",
"TimestampRaw": 133312167116239189,
"SpecificData": {
"SourceProcess": {
"PID": 196,
"ProcessGuid": "{FE730151-438E-4EEC-A433-47C5D4E3B8F0}",
"ProcessImageName": "C:\\Windows\\System32\\SearchIndexer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-16384",
"IntegrityLevelNameLookup": "SystemMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 0,
"HashMd5": "38E354B0E48633125C5AE4DF7A86AA27",
"HashSha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD",
"HashSha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-03-29T01:48:03.5290000+02:00",
"ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
"ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
}
],
"ProcessStartTime": "2023-06-14T11:12:07.0737445+02:00",
"ProcessStartTimeRaw": 133312075270737445
},
"Action": {
"PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
"PolicyVersion": 9,
"RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
"BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
"IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"UsbDeviceInfo": {
"VendorId": 1921,
"ProductId": 21889,
"Class": 0,
"ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
"SubClass": 0,
"Protocol": 0,
"SerialNumber": "04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117",
"VendorName": "USB",
"ProductName": "SanDisk3.2Gen1",
"Interfaces": [
{
"Class": 8,
"ClassComputedMap": "MassStorage",
"Subclass": 6,
"Protocol": 80
}
]
},
"UsbVolumeTrackingData": {
"EnrollFileState": 5,
"EnrollFileStateComputedMap": "Enrollfileisvalidanditscontentmatches.",
"FootprintFileState": 5,
"FootprintFileStateComputedMap": "Footprintfileisvalidanditscontentmatches",
"VendorId": 1921,
"ProductId": 21889,
"SerialNumberHashSha256": "00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98",
"EnrollGuid": "{2474130E-C1AA-4E37-A63E-88AA950FE3CA}"
},
"AccessFromNetwork": {},
"Details": {},
"DetailsType": 1,
"DetailsTypeComputedMap": "FILE_READ_DATA",
"Path": "E:\\SystemVolumeInformation\\IndexerVolumeGuid",
"MatchingPath": "",
"VolumeZone": 32768,
"VolumeZoneComputedBitMap": [
"Removableunknown"
],
"FileObjectType": 0,
"FileObjectTypeComputedMap": "FILE",
"FileOwner": "",
"FileOwnerNameLookup": "",
"FileOwnerDomainLookup": ""
}
}
{
"Version": 1,
"Type": 176,
"TypeComputedMap": "FileWrite",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0C1ABD-CE40-4411-AFCB-FB4B8B330BF1}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T03:45:11.6219776+02:00",
"TimestampRaw": 133312167116219776,
"SpecificData": {
"SourceProcess": {
"PID": 196,
"ProcessGuid": "{FE730151-438E-4EEC-A433-47C5D4E3B8F0}",
"ProcessImageName": "C:\\Windows\\System32\\SearchIndexer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\Windows\\system32\\SearchIndexer.exe/Embedding",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-16384",
"IntegrityLevelNameLookup": "SystemMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 0,
"HashMd5": "38E354B0E48633125C5AE4DF7A86AA27",
"HashSha1": "E1A0C914D7767BEAE5858E91C2F626DC7F7A48DD",
"HashSha256": "FAE9406A8A627C12FF9E18FEF4DF3CC91E0A2A766DC7D15BB8F2C3AD70CE95EF",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-03-29T01:48:03.5290000+02:00",
"ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
"ValidityEnd": "2024-02-01T02:05:41.0000000+02:00"
}
],
"ProcessStartTime": "2023-06-14T11:12:07.0737445+02:00",
"ProcessStartTimeRaw": 133312075270737445
},
"Action": {
"PolicyGuid": "{0A8FF960-1689-41CF-9D87-A2796B1DE5BF}",
"PolicyVersion": 9,
"RuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F9}",
"BaseRuleGuid": "{7294769D-86DB-4448-89CB-80A6CF5CB8F8}",
"IdentifierGuid": "{9BB78BCC-E85C-4CB5-A6CC-26E21029385C}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"UsbDeviceInfo": {
"VendorId": 1921,
"ProductId": 21889,
"Class": 0,
"ClassComputedMap": "UseclassinformationintheInterfaceDescriptors",
"SubClass": 0,
"Protocol": 0,
"SerialNumber": "04012f7f3a01c1ae65cdfeac1c2c89feb540858b0d034bc2c60f7de6edef26d7c8e6000000000000000000003b1bd6130017801881558107caa8e117",
"VendorName": "USB",
"ProductName": "SanDisk3.2Gen1",
"Interfaces": [
{
"Class": 8,
"ClassComputedMap": "MassStorage",
"Subclass": 6,
"Protocol": 80
}
]
},
"UsbVolumeTrackingData": {
"EnrollFileState": 5,
"EnrollFileStateComputedMap": "Enrollfileisvalidanditscontentmatches.",
"FootprintFileState": 5,
"FootprintFileStateComputedMap": "Footprintfileisvalidanditscontentmatches",
"VendorId": 1921,
"ProductId": 21889,
"SerialNumberHashSha256": "00A0D7D13C20905778EC71AFA1050B1E14E26C5AAF016496C37EE2E7D0120E98",
"EnrollGuid": "{2474130E-C1AA-4E37-A63E-88AA950FE3CA}"
},
"AccessFromNetwork": {},
"Details": {
"SecurityInformation": 5,
"SecurityInformationComputedBitMap": [
"OWNER_SECURITY_INFORMATION",
"DACL_SECURITY_INFORMATION"
]
},
"DetailsType": 10,
"DetailsTypeComputedMap": "FILE_SET_SECURITY",
"Path": "E:\\SystemVolumeInformation",
"MatchingPath": "",
"VolumeZone": 32768,
"VolumeZoneComputedBitMap": [
"Removableunknown"
],
"FileObjectType": 0,
"FileObjectTypeComputedMap": "FILE",
"FileOwner": "",
"FileOwnerNameLookup": "",
"FileOwnerDomainLookup": ""
}
}
{
"Version": 1,
"Type": 177,
"TypeComputedMap": "FileDelete",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD06EECF-C8D3-4BBE-B98F-A0DC5EDDE0C8}",
"Timestamp": "2023-06-15T04:20:00.0000000+01:00",
"TimestampRaw": 133232376000000000,
"GenerateIncident": false,
"SpecificData": {
"DetailsType": 2,
"DetailsTypeComputedMap": "FILE_RENAME_SOURCE",
"AccessFromNetwork": {
"ShareName": "\\\\Something",
"AddressFamily": 23,
"AddressFamilyComputedMap": "IPv6",
"Address": "192.168.128.211",
"Port": 22
},
"UsbDeviceInfo": {
"VendorName": "SanDisk",
"VendorId": 1921,
"ProductName": "Ultra",
"ProductId": 21889,
"SerialNumber": "4C530001211017121370",
"Class": 1,
"SubClass": 3,
"Interfaces": [
{
"Class": 8,
"SubClass": 11
},
{
"Class": 18,
"SubClass": 9
},
{
"Class": 11,
"SubClass": 254
}
]
},
"UsbVolumeTrackingData": {
"EnrollFileState": 1,
"EnrollGuid": "bf93de07-e0e0-45c9-bfc1-3dfd4fb68ef2",
"FootprintFileState": 5
},
"FileOwner": "S-1-5-21-2222222-33333333-44444444-555",
"FileObjectType": 0,
"FileObjectTypeComputedMap": "FILE",
"MatchingPath": "c:\\tmp\\file2.txt",
"VolumeZone": 64,
"VolumeZoneComputedBitMap": [
"Floppy"
],
"Details": {
"DesiredAccess": null,
"Attributes": null,
"FileName": null,
"SourcePath": null,
"DestinationPath": "c:\\test\\file1.txt",
"Operation": null,
"NewFileOwner": null,
"OldFileOwner": null,
"InformationClass": null,
"SecurityInformation": null,
"PageProtection": null,
"Address": null,
"Port": null
},
"FileOwnerNameLookup": "User1",
"FileOwnerDomainLookup": "sshield1",
"Path": "c:\\tmp\\file2.txt",
"SourceProcess": {
"PID": 8,
"ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "f0fbb584-bc08-41d1-93a2-a04f8fc65c32",
"ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"",
"HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB111",
"HashSha1": "AC9F34399C7C5A9372EFE0FA16F33DA4116016C6",
"HashSha256": "1247766F6B5AD11E5C97167B5A452374E22876136FC7B44F79BE14AD9A7FA3E7",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 5,
"Certificates": null,
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateUntrusted"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 20002,
"TypeComputedMap": "LostBuffers",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD084103-F26D-49EA-8890-70C7DB7A63A6}",
"Timestamp": "2023-06-15T08:20:00.0000000+01:00",
"TimestampRaw": 133232520000000000,
"GenerateIncident": false,
"SpecificData": {
"LostBuffersCount": 30
}
}
{
"Version": 1,
"Type": 20003,
"TypeComputedMap": "NewPolicyNotification",
"Category": 4,
"CategoryComputedMap": "Other",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 4,
"AttributesComputedBitMap": [
"Internal"
],
"EventGuid": "{AD093377-53C4-4595-860F-6CD64A4153FB}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:07:54.2839637+01:00",
"TimestampRaw": 133225888742839637,
"SpecificData": {
"PolicyName": "POL_TEST_ADE",
"PolicyVersion": 3,
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersionInternal": 4
}
}
{
"Version": 1,
"Type": 20004,
"TypeComputedMap": "ServiceDidNotEndCorrectly",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD021EAE-7C29-4B3F-852E-553B95D26471}",
"Timestamp": "2023-06-15T08:40:00.0000000+01:00",
"TimestampRaw": 133232532000000000,
"GenerateIncident": false,
"SpecificData": {
"ServiceName": "EsaAppIdSvc"
}
}
{
"Version": 1,
"Type": 20006,
"TypeComputedMap": "EndUpgradeAgentSucceeded",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0CD620-F5A8-430B-8FA3-BEC8E204DC74}",
"Timestamp": "2023-06-15T08:50:00.0000000+01:00",
"TimestampRaw": 133232538000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20007,
"TypeComputedMap": "EndUpgradeAgentFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD091E59-399B-4A0B-BB1F-7326C55502ED}",
"Timestamp": "2023-06-15T09:00:00.0000000+01:00",
"TimestampRaw": 133232544000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5
}
}
{
"Version": 1,
"Type": 20008,
"TypeComputedMap": "NewPolicyErrorNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD025B90-CBE6-4DF3-8F4B-BFD11E38270C}",
"Timestamp": "2023-06-15T09:10:00.0000000+01:00",
"TimestampRaw": 133232550000000000,
"GenerateIncident": false,
"SpecificData": {
"PolicyName": null
}
}
{
"Version": 1,
"Type": 20009,
"TypeComputedMap": "InvalidHivePackage",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0951E4-DF4A-4D4A-A636-ABEB310BB6E0}",
"Timestamp": "2023-06-15T09:20:00.0000000+01:00",
"TimestampRaw": 133232556000000000,
"GenerateIncident": false,
"SpecificData": {
"HivePackageFullPath": "C:\\Users\\User1\\Desktop\\maliviousHive.hive",
"LoadingOperationStatus": 5
}
}
{
"Version": 1,
"Type": 20010,
"TypeComputedMap": "StartUninstallAgent",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD042AB6-2DDF-4B8A-A805-9619857ECDFF}",
"Timestamp": "2023-06-15T09:30:00.0000000+01:00",
"TimestampRaw": 133232562000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20011,
"TypeComputedMap": "EndUninstallAgentSucceeded",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0DB33A-2194-4800-AB4E-C2BBCCFDE65D}",
"Timestamp": "2023-06-15T09:40:00.0000000+01:00",
"TimestampRaw": 133232568000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20012,
"TypeComputedMap": "EndUninstallAgentFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD075976-1881-4C1C-AB5F-ABE0E0430C9A}",
"Timestamp": "2023-06-15T09:50:00.0000000+01:00",
"TimestampRaw": 133232574000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20013,
"TypeComputedMap": "InvalidPolicyPackageCab",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0B6BB8-6422-478E-93D7-1D9DD7A61EC3}",
"Timestamp": "2023-06-15T00:00:00.0000000+01:00",
"TimestampRaw": 133232580000000000,
"GenerateIncident": false,
"SpecificData": {
"PolicyPackageCabFullPath": "C:\\Users\\User1\\Desktop\\EsPolicy.hive",
"LoadingOperationStatus": 5
}
}
{
"Version": 1,
"Type": 20014,
"TypeComputedMap": "EsScriptHostCreateFailure",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0C4A06-F13C-47F1-BF3C-FD7136C519A4}",
"Timestamp": "2023-06-15T00:10:00.0000000+01:00",
"TimestampRaw": 133232586000000000,
"GenerateIncident": false,
"SpecificData": {
"ImplementationType": 0,
"StatusCode": 5
}
}
{
"Version": 1,
"Type": 20015,
"TypeComputedMap": "KernelCorruptionBugcheck",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0AA66F-5A03-4CE9-ABCD-86988444224C}",
"Timestamp": "2023-06-15T00:20:00.0000000+01:00",
"TimestampRaw": 133232592000000000,
"GenerateIncident": false,
"SpecificData": {
"Bugcheck": "0x00000109 (0x00000000, 0x00000000, 0x00000000, 0x00000000)"
}
}
{
"Version": 1,
"Type": 20016,
"TypeComputedMap": "InvalidPolicyPackageSignature",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0CDBE2-1FD9-43B4-80A3-219638B5C585}",
"Timestamp": "2023-06-15T00:30:00.0000000+01:00",
"TimestampRaw": 133232598000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": 5,
"PolicyPackageFile": "C:\\Users\\User1\\Desktop\\EsPolicy.hive"
}
}
{
"Version": 1,
"Type": 20017,
"TypeComputedMap": "StartAgentUpgrade",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09E443-8DC7-4315-98A7-1C48312B835E}",
"Timestamp": "2023-06-15T00:40:00.0000000+01:00",
"TimestampRaw": 133232604000000000,
"GenerateIncident": false,
"SpecificData": {
"VersionFrom": "1.0.0.0",
"VersionTo": "2.0.0.0"
}
}
{
"Version": 1,
"Type": 20018,
"TypeComputedMap": "PolicyPackageSignerExpired",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0FE5D0-593B-41FA-B642-98F1CC214FB8}",
"Timestamp": "2023-06-15T00:50:00.0000000+01:00",
"TimestampRaw": 133232610000000000,
"GenerateIncident": false,
"SpecificData": {
"PolicyPackageFile": "C:\\Users\\User1\\Desktop\\EsPolicy.hive"
}
}
{
"Version": 1,
"Type": 20019,
"TypeComputedMap": "SelfProtectionLrpcFailure",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0A7F5A-905E-4E0B-AE2C-F1DA2D610788}",
"Timestamp": "2023-06-15T01:00:00.0000000+01:00",
"TimestampRaw": 133232616000000000,
"GenerateIncident": false,
"SpecificData": {
"ServerServiceName": "EsaAppIdSvc",
"SelfProtectionModuleName": "EsaGuardSvc",
"StatusCode": 5
}
}
{
"Version": 1,
"Type": 20020,
"TypeComputedMap": "NewPolicyFromUpdateErrorNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0167A2-3042-453F-8E0C-F0B8BC76C13B}",
"Timestamp": "2023-06-15T01:10:00.0000000+01:00",
"TimestampRaw": 133232622000000000,
"GenerateIncident": false,
"SpecificData": {
"PolicyName": null
}
}
{
"Version": 1,
"Type": 20021,
"TypeComputedMap": "NewPolicyFromUpdateNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0AEC3D-BAB1-4680-827B-FAB47FF00C8E}",
"Timestamp": "2023-06-15T01:20:00.0000000+01:00",
"TimestampRaw": 133232628000000000,
"GenerateIncident": false,
"SpecificData": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"PolicyName": null
}
}
{
"Version": 1,
"Type": 20022,
"TypeComputedMap": "NewConfigurationNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0533A5-A3D3-4F7E-A7B9-000FF784F592}",
"Timestamp": "2023-06-15T01:30:00.0000000+01:00",
"TimestampRaw": 133232634000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20023,
"TypeComputedMap": "NewConfigurationErrorNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0369FB-ED19-4402-A1E7-900E95350EB8}",
"Timestamp": "2023-06-15T01:40:00.0000000+01:00",
"TimestampRaw": 133232640000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": 5
}
}
{
"Version": 1,
"Type": 20024,
"TypeComputedMap": "NewConfigurationFromUpdateErrorNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0C916A-4D69-416B-8014-BB8C8E461CFB}",
"Timestamp": "2023-06-15T01:50:00.0000000+01:00",
"TimestampRaw": 133232646000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20025,
"TypeComputedMap": "NewConfigurationFromUpdateNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0A125B-DF69-440B-B388-B1A9477E7D92}",
"Timestamp": "2023-06-15T02:00:00.0000000+01:00",
"TimestampRaw": 133232652000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20026,
"TypeComputedMap": "InvalidConfigurationPackageCab",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F5A8B-5487-4B22-981A-885363295252}",
"Timestamp": "2023-06-15T02:10:00.0000000+01:00",
"TimestampRaw": 133232658000000000,
"GenerateIncident": false,
"SpecificData": {
"PackageCabFullPath": "C:\\Users\\User1\\Desktop\\EsConfig.hive",
"LoadingOperationStatus": 5
}
}
{
"Version": 1,
"Type": 20027,
"TypeComputedMap": "DowngradeIsNotAuthorized",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD010390-5326-4D21-9673-CD1B80EF7562}",
"Timestamp": "2023-06-15T02:20:00.0000000+01:00",
"TimestampRaw": 133232664000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20028,
"TypeComputedMap": "SafeModeSessionNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0EF160-1AE3-47C3-8F2C-BA626C3D04C7}",
"Timestamp": "2023-06-15T02:30:00.0000000+01:00",
"TimestampRaw": 133232670000000000,
"GenerateIncident": false,
"SpecificData": {
"LoginName": "User1",
"Timestamp": "2023-03-13T10:54:24.6100962+01:00"
}
}
{
"Version": 1,
"Type": 20030,
"TypeComputedMap": "MaintenanceModeStart",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0B53D9-A9FF-4257-8A47-BA73FD9798EE}",
"Timestamp": "2023-06-15T02:40:00.0000000+01:00",
"TimestampRaw": 133232676000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 20031,
"TypeComputedMap": "MaintenanceModeStop",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD067EED-CA85-4D98-8C35-8DC58D0943C3}",
"Timestamp": "2023-06-15T02:50:00.0000000+01:00",
"TimestampRaw": 133232682000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20032,
"TypeComputedMap": "MaintenanceModeAgentUpgradePostponed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0871CA-224C-4600-A48A-B562DB058C09}",
"Timestamp": "2023-06-15T03:00:00.0000000+01:00",
"TimestampRaw": 133232688000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20033,
"TypeComputedMap": "BfeIsStoppedNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0E7607-D279-4188-BE30-E2A887B80D32}",
"Timestamp": "2023-06-15T03:10:00.0000000+01:00",
"TimestampRaw": 133232694000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20034,
"TypeComputedMap": "RepairFailureNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0D4655-336D-4DD9-9532-78433F39364A}",
"Timestamp": "2023-06-15T03:20:00.0000000+01:00",
"TimestampRaw": 133232700000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"Result": 5
}
}
{
"Version": 1,
"Type": 20035,
"TypeComputedMap": "RepairSuccessNotification",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0BBCE5-0299-4F04-9858-756036BCBFBC}",
"Timestamp": "2023-06-15T03:30:00.0000000+01:00",
"TimestampRaw": 133232706000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 20036,
"TypeComputedMap": "EndAgentModularityFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD071DC0-58B6-4166-93AC-5E53F025C724}",
"Timestamp": "2023-06-15T03:40:00.0000000+01:00",
"TimestampRaw": 133232712000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5
}
}
{
"Version": 1,
"Type": 20037,
"TypeComputedMap": "EndAgentModularitySucceeded",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD016C2D-6BA8-4348-BA6D-92FB1CE190A8}",
"Timestamp": "2023-06-15T03:50:00.0000000+01:00",
"TimestampRaw": 133232718000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20038,
"TypeComputedMap": "CommFinishFailedState",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD05A0F2-7163-4A09-9F2D-AB6EA6171047}",
"Timestamp": "2023-06-15T04:00:00.0000000+01:00",
"TimestampRaw": 133232724000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5,
"State": 8,
"StateName": "PreviousStateName"
}
}
{
"Version": 1,
"Type": 20039,
"TypeComputedMap": "ForcedPatchApplication",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09E4CF-09F4-4E78-A3E9-C4CB48471D46}",
"Timestamp": "2023-06-15T04:10:00.0000000+01:00",
"TimestampRaw": 133232730000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20040,
"TypeComputedMap": "ChallengeStart",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD04C00F-2052-440A-9E43-E685F60E2ACF}",
"Timestamp": "2023-06-15T04:20:00.0000000+01:00",
"TimestampRaw": 133232736000000000,
"GenerateIncident": false,
"SpecificData": {
"Duration": 0,
"ChallengeAction": 3
}
}
{
"Version": 1,
"Type": 20041,
"TypeComputedMap": "ChallengeStop",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F233B-3CCE-470B-9312-A760E05C5065}",
"Timestamp": "2023-06-15T04:30:00.0000000+01:00",
"TimestampRaw": 133232742000000000,
"GenerateIncident": false,
"SpecificData": {
"Manual": true,
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"ChallengeAction": 0
}
}
{
"Version": 1,
"Type": 20042,
"TypeComputedMap": "ChallengeStopFailure",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD01D6E5-6517-4E2C-B029-8A4668B9A2BE}",
"Timestamp": "2023-06-15T04:40:00.0000000+01:00",
"TimestampRaw": 133232748000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5
}
}
{
"Version": 1,
"Type": 20043,
"TypeComputedMap": "WrongCabinetVersion",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD052689-74F5-4E19-A0CE-13246249763C}",
"Timestamp": "2023-06-15T04:50:00.0000000+01:00",
"TimestampRaw": 133232754000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20044,
"TypeComputedMap": "MultipleNetworkInterfacesMatchingTest",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD07AF61-2014-44FF-83D1-FAFDEBA00A20}",
"Timestamp": "2023-06-15T05:00:00.0000000+01:00",
"TimestampRaw": 133232760000000000,
"GenerateIncident": false,
"SpecificData": {
"InterfaceName": "DEV",
"InterfaceDescription": "Lorem Iterfacum"
}
}
{
"Version": 1,
"Type": 20045,
"TypeComputedMap": "ChallengeStartFailure",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD04CFB2-80E8-4237-9345-B73E76623445}",
"Timestamp": "2023-06-15T05:10:00.0000000+01:00",
"TimestampRaw": 133232766000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 5
}
}
{
"Version": 1,
"Type": 20048,
"TypeComputedMap": "External",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0A2E72-1187-4BF6-8773-235285060E82}",
"Timestamp": "2023-06-15T05:20:00.0000000+01:00",
"TimestampRaw": 133232772000000000,
"GenerateIncident": false,
"SpecificData": {
"Description": "localized:EventForwarding_WinDefender_MalwareProtectionRealTimeProtectionFeatureConfigured",
"OriginType": 2,
"ExtraData": {
"Message": "This is a message",
"_OriginalText": "2021 Mar 24 17:54:54 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(5007): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: W102004X64: Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.\r\n \tOld value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceStartStates = 0x1\r\n \tNew value: Default\\ServiceStartStates = 0x0"
},
"Fields": {
"BaseRuleGuid": "64a298f2-c9e8-451f-9637-84254d2d8332"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
}
}
}
{
"Version": 1,
"Type": 20048,
"TypeComputedMap": "External",
"Severity": 4,
"ServerReserved": 0,
"Attributes": 32,
"AttributesComputedBitMap": [
"External"
],
"EventGuid": "{5838A063-4210-4268-ADB0-39FC5B55A212}",
"GenerateIncident": false,
"Timestamp": "2024-03-22T14:01:26.6589969+00:00",
"TimestampRaw": 133555896866589969,
"SpecificData": {
"Action": {
"PolicyGuid": "{DFDA0F76-10AF-4615-B093-7AA46CC2E7A3}",
"PolicyVersion": 5,
"RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}",
"BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Description": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken",
"OriginType": 2,
"ExtraData": {
"_SourceCategory": 0,
"_HideFromUsers": 1,
"_OriginalText": "2024 Mar 22 14:01:25 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: INFORMATION(1117): Microsoft-Windows-Windows Defender: SYSTEM: NT AUTHORITY: DESKTOP-001: Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0 \tName: Trojan:Win32/BatTamper.A \tID: 2147818424 \tSeverity: Severe \tCategory: Trojan \tPath: file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048 \tDetection Origin: Internet \tDetection Type: Concrete \tDetection Source: Downloads and attachments \tUser: NT AUTHORITY\\SYSTEM \tProcess Name: Unknown \tAction: Quarantine \tAction Status: No additional actions required \tError Code: 0x00000000 \tError description: The operation completed successfully. \tSecurity intelligence Version: AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0 \tEngine Version: AM: 1.1.24020.9, NIS: 1.1.24020.9",
"program_name": "WinEvtLog",
"_NormalizerNames": "syslog-1-date-fmt-4, syslog-1-solaris-progname-1",
"_NormalizerIds": "4, 6",
"_FileType": "windows",
"_ExtractorIds": "1",
"_ExtractorNames": "windows",
"_RuleDescription": "localized:EventForwarding_WinDefender_MalwareProtectionStateMalwareActionTaken",
"_RuleId": 13,
"_RuleImportedId": 24,
"_RuleKeywords": "windows-defender",
"_RuleLevel": 6,
"__EvtXml": {
"Event": {
"System": {
"Provider": {
"Name": "Microsoft-Windows-Windows Defender",
"Guid": "{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}"
},
"EventID": "1117",
"Version": "0",
"Level": "4",
"Task": "0",
"Opcode": "0",
"Keywords": "0x8000000000000000",
"TimeCreated": {
"SystemTime": "2024-03-22T14:01:25.6359716Z"
},
"EventRecordID": "613",
"Correlation": {},
"Execution": {
"ProcessID": "5384",
"ThreadID": "4576"
},
"Channel": "Microsoft-Windows-Windows Defender/Operational",
"Computer": "DESKTOP-001",
"Security": {
"UserID": "S-1-5-18"
}
},
"EventData": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.23110.3",
"Detection ID": "{9C26ADFE-43AA-4884-9765-A2EC223DC7E0}",
"Detection Time": "2024-03-22T14:01:20.550Z",
"Threat ID": "2147818424",
"Threat Name": "Trojan:Win32/BatTamper.A",
"Severity ID": "5",
"Severity Name": "Severe",
"Category ID": "8",
"Category Name": "Trojan",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BatTamper.A&threatid=2147818424&enterprise=0",
"Status Code": "4",
"State": "2",
"Source ID": "4",
"Source Name": "Downloads and attachments",
"Process Name": "Unknown",
"Detection User": "DESKTOP-001\\Lab",
"Path": "file:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1; webfile:_C:\\Users\\Lab\\Downloads\\TurnOffAV.ps1|https://github.com/|pid:13760,ProcessStart:133555896788321048",
"Origin ID": "4",
"Origin Name": "Internet",
"Execution ID": "0",
"Execution Name": "Unknown",
"Type ID": "0",
"Type Name": "Concrete",
"Pre Execution Status": "0",
"Action ID": "2",
"Action Name": "Quarantine",
"Error Code": "0x00000000",
"Error Description": "The operation completed successfully. ",
"Post Clean Status": "0",
"Additional Actions ID": "0",
"Additional Actions String": "No additional actions required",
"Remediation User": "NT AUTHORITY\\SYSTEM",
"Security intelligence Version": "AV: 1.407.619.0, AS: 1.407.619.0, NIS: 1.407.619.0",
"Engine Version": "AM: 1.1.24020.9, NIS: 1.1.24020.9"
}
}
}
},
"Fields": {
"_RuleGuid": "{63B63F11-7C06-4555-9542-3F7E795B98EE}",
"_BaseRuleGuid": "{9B076C45-6373-4A4E-9310-F139A66794B4}"
}
},
"AdditionalData": {
"AgentAddresses": [
"192.168.0.1"
],
"AgentGroupGuid": "{8C2850C0-1A73-4CBC-9831-5AA5D1438AF2}",
"AgentGroupName": "Desktop",
"AgentGuid": "{0E6DAED4-3505-4F96-9F8D-55FBC85CA4C7}",
"AgentName": "DESKTOP-001",
"CategoryName": "External",
"IncidentGuid": null,
"Message": "Windows Defender: The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.",
"PolicyName": "Lab Policy",
"SeverityName": "Warning"
}
}
{
"Version": 1,
"Type": 20049,
"TypeComputedMap": "ChallengeTooManyFailedAttempts",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0C6027-57C5-40B8-9A45-34C3259FD352}",
"Timestamp": "2023-06-15T05:30:00.0000000+01:00",
"TimestampRaw": 133232778000000000,
"GenerateIncident": false,
"SpecificData": {
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 20050,
"TypeComputedMap": "MaintenanceModeAgentModularityPostponed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0BF97F-A000-4C5E-B2FD-A9673DB49C79}",
"Timestamp": "2023-06-15T05:40:00.0000000+01:00",
"TimestampRaw": 133232784000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20051,
"TypeComputedMap": "EndUpgradeAgentNothingToDo",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD077BE1-8717-4796-AA97-4E4684223298}",
"Timestamp": "2023-06-15T05:50:00.0000000+01:00",
"TimestampRaw": 133232790000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20052,
"TypeComputedMap": "EndUpgradeAgentGuidUpdated",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD02DCFD-B400-42C2-BE32-B96BB54D4C10}",
"Timestamp": "2023-06-15T06:00:00.0000000+01:00",
"TimestampRaw": 133232796000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20053,
"TypeComputedMap": "MaintenanceModeStopFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD07C559-BEF6-40F8-9624-C716A0F37F67}",
"Timestamp": "2023-06-15T06:10:00.0000000+01:00",
"TimestampRaw": 133232802000000000,
"GenerateIncident": false,
"SpecificData": {
"ErrorCode": 0
}
}
{
"Version": 1,
"Type": 20054,
"TypeComputedMap": "KerberosPassTheTicket",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F24A3-2C61-4822-89C7-25C274043270}",
"Timestamp": "2023-06-15T06:20:00.0000000+01:00",
"TimestampRaw": 133232808000000000,
"GenerateIncident": false,
"SpecificData": {
"KirbiFileFullPath": "C:\\mimikatz_trunk\\Win32\\MyTicket.kirbi",
"Correlation": {
"PackageGuid": "a0ba8928-f715-4d6f-b43e-5d020e67c030",
"PackageVersion": 42
},
"SourceProcess": {
"PID": 9,
"ProcessImageName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "9d367a6c-04e4-491b-baa8-25b674db96d9",
"ProcessCommandLine": "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Excel.EXE\"",
"HashMd5": "0470A1A62B3FAA0AF14D9AFD8FAFB221",
"HashSha1": "AC9F34399C7C5A9372EFE0FA16F33D12116016C6",
"HashSha256": "1247766F6B5AD11E5C97167B5A452374E13976136FC7B44F79BE14AD9A7FA3E7",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 1,
"Certificates": null,
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateTrusted"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": false
}
}
}
{
"Version": 1,
"Type": 20055,
"TypeComputedMap": "ArpSpoofing",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD089472-11D1-45E7-859C-2185C0BC56EB}",
"Timestamp": "2023-06-15T06:30:00.0000000+01:00",
"TimestampRaw": 133232814000000000,
"GenerateIncident": false,
"SpecificData": {
"IPInterface": "172.30.225.122",
"SpoofedIP": "172.30.225.121",
"OldMacAddress": "00-ff-b7-1f-9d-10",
"SpoofedMacAddress": "00-ff-b7-1f-9d-11",
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 20056,
"TypeComputedMap": "AgentOperationCertutilDecodeMaliciousUsage",
"Severity": 2,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD06E6EA-AC58-4B9F-96F2-1B4518003441}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T06:23:39.9571804+02:00",
"TimestampRaw": 133311398199571804,
"SpecificData": {
"Action": {
"PolicyGuid": "{FEFD7270-4013-94B9-0209-DEB987F40E89}",
"PolicyVersion": 14,
"RuleGuid": "{BEA2239E-7249-40A8-90BC-CD2981295600}",
"BaseRuleGuid": "{BEA2239E-7249-40A8-90BC-CD2981295600}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": false,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Correlation": {
"PackageGuid": "{06F508DA-1AB4-4A01-977D-2FD6E51C7F97}",
"PackageVersion": 6
},
"SourceProcess": {
"ProcessImageName": "C:\\Windows\\System32\\certutil.exe",
"VolumeZone": 1,
"HashSha1": "8564027153DCA487ECA613345AB3B2DE0ADD4F26",
"ProcessStartTime": "2023-06-13T16:23:39.2631277+02:00",
"SessionID": 2,
"UserNameLookup": "JOHNDOE",
"IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
"HashMd5": "018796D4670AC12865BE2F00382BBC8E",
"VolumeZoneComputedBitMap": [
"Operating system"
],
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"PID": 4904,
"CertificateSignatureState": 1,
"User": "S-1-5-21-2222222-33333333-44444444-555",
"ProcessGuid": "{10C09418-9E9C-40E2-B7F7-20D70068CB34}",
"ProcessCommandLine": "certutil-decode\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe\"",
"IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
"ProcessStartTimeRaw": 133311398192631277,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"SigningTime": "2023-05-18T00:55:31.4620000+02:00",
"SubjectCN": "MicrosoftWindows",
"ValidityEnd": "2024-02-01T02:05:42.0000000+02:00",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"ValidityStart": "2023-02-03T02:05:42.0000000+02:00",
"Algorithm": "SHA256"
}
],
"IsProtectedOrCritical": false,
"HashSha256": "22D1471ED17C681AA5580C59712005E1C70EF9C306CBCAD245A64F7DFAE47847"
},
"ParentProcess": {
"ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
"VolumeZone": 1,
"HashSha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D",
"ProcessStartTime": "2023-06-13T16:23:39.0311777+02:00",
"SessionID": 2,
"UserNameLookup": "JOHNDOE",
"IntegrityLevelDomainLookup": "\u00c9tiquetteobligatoire",
"HashMd5": "8A2122E8162DBEF04694B9C3E0B6CDEE",
"VolumeZoneComputedBitMap": [
"Operating system"
],
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"PID": 6808,
"CertificateSignatureState": 1,
"User": "S-1-5-21-2222222-33333333-44444444-555",
"ProcessGuid": "{387F337F-56ED-4924-B1CC-96357B1E27B3}",
"ProcessCommandLine": "C:\\WINDOWS\\system32\\cmd.exe/c\"\"C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd\"\"",
"IntegrityLevelNameLookup": "Niveauobligatoiremoyen",
"ProcessStartTimeRaw": 133311398190311777,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"SigningTime": "2023-04-28T03:05:05.3450000+02:00",
"SubjectCN": "MicrosoftWindows",
"ValidityEnd": "2024-02-01T02:05:41.0000000+02:00",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"ValidityStart": "2023-02-03T02:05:41.0000000+02:00",
"Algorithm": "SHA256"
}
],
"IsProtectedOrCritical": false,
"HashSha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450"
},
"SourceFilePath": "C:\\Users\\Arkoon\\Desktop\\certutil-decode.cmd",
"DestinationFilePath": "C:\\Users\\Arkoon\\AppData\\Local\\Temp\\pwned.exe",
"FileContentType": 0,
"FileContentTypeComputedMap": "Unknown",
"FileContent": "406563686F206F66660D0A0D0A0D0A6563686F2E4465636F64696E6720656D6265646465642070726F6772616D2E2E2E0D0A7365742022544D505F46494C455F4E414D453D2554454D50255C70776E65"
}
}
{
"Version": 1,
"Type": 20057,
"TypeComputedMap": "AgentOperationCertutilDownloadMaliciousUsage",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0CE797-8230-47F1-A98E-2F273D1AF92A}",
"Timestamp": "2023-06-15T06:50:00.0000000+01:00",
"TimestampRaw": 133232826000000000,
"GenerateIncident": false,
"SpecificData": {
"DownloadUrl": "http://sample.xyz/malicious.encoded",
"DestinationFilePath": "c:\\malicious\\malicious.encoded",
"ParentProcess": {
"PID": 2,
"ProcessImageName": "C:\\Windows\\System32\\notepad.exe",
"UserSID": null,
"SessionID": 2,
"ProcessGuid": "92c248f1-0acd-11ea-a38a-00155d099004",
"ProcessCommandLine": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\arkoon\\Desktop\\_test\\test.totot",
"HashMd5": "F1139811BBF61362915958806AD30211",
"HashSha1": "D487580502354C61808C7180D1A336BEB7AD4624",
"HashSha256": "F1D62648EF915D85CB4FC140359E925395D315C70F3566B63BB3E21151CB2CE3",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 0,
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Microsoft Windows Production PCA 2011",
"SigningTime": "2019-11-07T04:32:51.5641056+01:00",
"ValidityEnd": "2020-05-02T22:24:36.0705280+01:00",
"ValidityStart": "2019-05-02T22:24:36.7807872+01:00",
"SubjectCN": "Microsoft Windows"
}
],
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateUnavailable"
},
"Correlation": {
"PackageGuid": "c0d2b0ff-b222-43bb-b134-50e8f4589806",
"PackageVersion": 42
},
"SourceProcess": {
"PID": 5,
"ProcessImageName": "C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe",
"UserSID": null,
"SessionID": 0,
"ProcessGuid": "bed63e79-0f85-11ea-a38e-00155d099004",
"ProcessCommandLine": "\"C:\\Program Files\\Stormshield\\SES Evolution\\Agent\\Bin\\EsGuiSrv.exe\"",
"HashMd5": "E6224FC8CF2A26B386934DAC0A3495D0",
"HashSha1": "CF970FA39BA72CC531133EC327203EAD801DA846",
"HashSha256": "A6AACEDC3F1E866A4ED815595F8FFA6AD99F6AEA7EC937E6AAA9EB4E68B39737",
"UserNameLookup": "JOHNDOE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserDomainLookup": "TEST",
"CertificateSignatureState": 4,
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "Stormshield",
"SigningTime": "2019-11-25T14:15:45.4965475+01:00",
"ValidityEnd": "2040-01-01T00:59:59.1248256+01:00",
"ValidityStart": "2017-04-25T15:21:15.7216000+01:00",
"SubjectCN": "Stormshield"
}
],
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "Medium",
"IntegrityLevelDomainLookup": "Mandatory Label",
"IsProtectedOrCritical": false,
"ProcessStartTimeRaw": 133204190354018719,
"ProcessStartTime": "2023-02-09T13:23:55.4018719+01:00",
"CertificateSignatureStateComputedMap": "SignatureStateRevoked"
},
"Action": {
"PolicyGuid": "00000000-0000-0000-0000-000000000000",
"PolicyVersion": 0,
"RuleGuid": "00000000-0000-0000-0000-000000000000",
"BaseRuleGuid": "00000000-0000-0000-0000-000000000000",
"IdentifierGuid": "00000000-0000-0000-0000-000000000000",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": true
}
}
}
{
"Version": 1,
"Type": 20059,
"TypeComputedMap": "AgentInternalScriptRuntimeError",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09A421-A13C-49BF-AB67-B48A5884C559}",
"Timestamp": "2023-06-15T07:00:00.0000000+01:00",
"TimestampRaw": 133232832000000000,
"GenerateIncident": false,
"SpecificData": {
"ExecutionStatus": 0,
"ScriptGuid": "00000000-0000-0000-0000-000000000000"
}
}
{
"Version": 1,
"Type": 20060,
"TypeComputedMap": "WmiPersistence",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0903E9-4EEC-4EE0-9CBF-50E00F367470}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T07:02:14.4361240+02:00",
"TimestampRaw": 133311421344361240,
"SpecificData": {
"Action": {
"PolicyGuid": "{FEFD7270-4013-94B9-0209-DEB987F40E89}",
"PolicyVersion": 14,
"RuleGuid": "{D9AC047B-591C-42EA-86AD-0997EE000BEF}",
"BaseRuleGuid": "{D9AC047B-591C-42EA-86AD-0997EE000BEF}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": true,
"RequestMoveToQuarantine": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"Correlation": {
"PackageGuid": "{B757A1F5-8658-4567-A380-73F189F507E6}",
"PackageVersion": 2
},
"ConsumerType": 0,
"ConsumerTypeComputedMap": "CommandLineEventConsumer",
"ExecutedAction": "cmd.exe/cecho%ProcessId%>>c:\\\\\\\\tmp\\\\\\\\log.txt",
"ActionName": "Log01",
"Trigger": "Query=\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\"",
"Namespace": "root/subscription",
"ESS": "Log01",
"Consumer": "CommandLineEventConsumer=\"Log01\"",
"PossibleCause": "BindingEventFilter:\ninstanceof__EventFilter\n{\n\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\n\tEventNamespace=\"root/cimv2\";\n\tName=\"Log01\";\n\tQuery=\"SELECT*FROMWin32_ProcessStartTraceWHEREProcessName='powershell.exe'\";\n\tQueryLanguage=\"WQL\";\n};\nPerm.Consumer:\ninstanceofCommandLineEventConsumer\n{\n\tCommandLineTemplate=\"cmd.exe/cecho%ProcessId%>>c:\\\\\\\\tmp\\\\\\\\log.txt\";\n\tCreatorSID={1,5,0,0,0,0,0,5,21,0,0,0,182,250,126,125,203,125,194,67,199,210,196,157,233,3,0,0};\n\tName=\"Log01\";\n};\n",
"TimeCreated": "2023-06-13T15:02:08.6658788Z"
}
}
{
"Version": 1,
"Type": 20061,
"TypeComputedMap": "Discovery",
"Category": 4,
"CategoryComputedMap": "Other",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0B6953-1407-4F68-B7BB-0540BD9F32B3}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T08:00:22.3680507+01:00",
"TimestampRaw": 133203492223680517,
"SpecificData": {
"Action": {
"PolicyGuid": "{C28F5498-FDC3-4E59-A13C-6139CE1FD00C}",
"PolicyVersion": 1,
"RuleGuid": "{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}",
"BaseRuleGuid": "{468C2651-0EC0-42C5-A1D1-CA89F057DC0A}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
},
"Correlation": {
"PackageGuid": "{9D0A8212-4B3F-4ABA-9548-D5AAB6095E19}",
"PackageVersion": 4
},
"SourceProcess": {
"VolumeZone": 1,
"IntegrityLevel": "S-1-16-8192",
"UserNameLookup": "JOHNDOE",
"HashSha1": "F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D",
"CertificateSignatureState": 1,
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevelDomainLookup": "MandatoryLabel",
"ProcessGuid": "{9AC2D00F-F8B3-4917-B750-B3DAC7E6DC81}",
"Certificates": [
{
"Algorithm": "SHA256",
"SigningTime": "2022-06-09T00:22:44.7850000+01:00",
"ValidityStart": "2021-09-02T19:23:40.0000000+01:00",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"ValidityEnd": "2022-09-01T19:23:40.0000000+01:00"
}
],
"HashSha256": "B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"ProcessImageName": "C:\\Windows\\System32\\cmd.exe",
"ProcessStartTimeRaw": 133203492157056139,
"UserDomainLookup": "TEST",
"ProcessStartTime": "2023-02-08T18:00:15.7056139+01:00",
"PID": 5204,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"ProcessCommandLine": "\"C:\\Windows\\system32\\cmd.exe\"",
"IsProtectedOrCritical": false,
"HashMd5": "8A2122E8162DBEF04694B9C3E0B6CDEE",
"SessionID": 2
},
"DiscoveryProcess": {
"VolumeZone": 1,
"IntegrityLevel": "S-1-16-8192",
"UserNameLookup": "JOHNDOE",
"HashSha1": "D9BBB4E4900FF03B0486FAC32768170249DAD82D",
"CertificateSignatureState": 1,
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"VolumeZoneComputedBitMap": [
"Operating system"
],
"IntegrityLevelDomainLookup": "MandatoryLabel",
"ProcessGuid": "{D7235320-A1CF-4151-9451-1DFE77BC0F89}",
"Certificates": [
{
"Algorithm": "SHA256",
"SigningTime": "2022-06-09T01:51:05.6030000+01:00",
"ValidityStart": "2021-09-02T19:23:40.0000000+01:00",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"ValidityEnd": "2022-09-01T19:23:40.0000000+01:00"
}
],
"HashSha256": "53E000F5AA9B3A00934319DB8080BB99CB323BF48FC628A64F75D7847C265606",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"ProcessImageName": "C:\\Windows\\System32\\ipconfig.exe",
"ProcessStartTimeRaw": 133203492215762286,
"UserDomainLookup": "TEST",
"ProcessStartTime": "2023-02-08T18:00:21.5762286+01:00",
"PID": 5364,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"ProcessCommandLine": "ipconfig",
"IsProtectedOrCritical": false,
"HashMd5": "62F170FB07FDBB79CEB7147101406EB8",
"SessionID": 2
},
"BeginningTime": "2023-02-08T18:00:15.7184398+01:00",
"TriggerTime": "2023-02-08T18:00:21.5797212+01:00"
}
}
{
"Version": 1,
"Type": 20062,
"TypeComputedMap": "AgentInternalUninstallForbidden",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD04A57F-EE9F-4D86-AAD5-E7FC20313376}",
"Timestamp": "2023-06-15T07:30:00.0000000+01:00",
"TimestampRaw": 133232850000000000,
"GenerateIncident": false,
"SpecificData": {
"UninstallAttemptDateTime": "2020-07-07T09:29:06.066110400Z",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"User": "S-1-5-21-2222222-33333333-44444444-555"
}
}
{
"Version": 1,
"Type": 20063,
"TypeComputedMap": "AgentInternalLogExceedMaxSize",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD062E12-865A-4B16-B57B-37205E59277B}",
"Timestamp": "2023-06-15T07:40:00.0000000+01:00",
"TimestampRaw": 133232856000000000,
"GenerateIncident": false,
"SpecificData": {
"FaultyLogType": 1010,
"FaultyLogTypeComputedMap": null
}
}
{
"Version": 1,
"Type": 20064,
"TypeComputedMap": "StartModularityAgent",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0F3A16-4E4E-4790-B3EB-5558D437C77E}",
"Timestamp": "2023-06-15T07:50:00.0000000+01:00",
"TimestampRaw": 133232862000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20065,
"TypeComputedMap": "StartRepairAgent",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD000F33-953C-49B2-9E91-A9D0D16FABFB}",
"Timestamp": "2023-06-15T08:00:00.0000000+01:00",
"TimestampRaw": 133232868000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 1,
"Type": 20066,
"TypeComputedMap": "AgentInternalVolumeWithoutShadowStorage",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD07B4CE-114A-42D1-8080-3E10EAAF1F3A}",
"Timestamp": "2023-06-15T08:10:00.0000000+01:00",
"TimestampRaw": 133232874000000000,
"GenerateIncident": false,
"SpecificData": {
"VolumePath": "\\\\?\\Volume{3799cd4d-464b-4908-9537-3984827f7c29}\\",
"DriveLetter": "C:\\",
"VolumeLabel": "some label"
}
}
{
"Version": 1,
"Type": 20067,
"TypeComputedMap": "AgentInternalShadowCopyCreationFailure",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD04DBA1-AC27-47D4-ABBF-588CD950C127}",
"Timestamp": "2023-06-15T08:20:00.0000000+01:00",
"TimestampRaw": 133232880000000000,
"GenerateIncident": false,
"SpecificData": {
"VolumePath": "\\\\?\\Volume{a14d9f90-5db7-4b3c-8cf1-d9bd2f9f1a64}\\",
"DriveLetter": "C:\\",
"VolumeLabel": "some label",
"ErrorCode": 5
}
}
{
"Version": 1,
"Type": 20068,
"TypeComputedMap": "Ransomware",
"Category": 4,
"CategoryComputedMap": "Other",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0C67CC-83EF-4966-8001-10A3B8B13EAC}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T05:23:07.3454198+01:00",
"TimestampRaw": 133225861873454198,
"SpecificData": {
"Action": {
"PolicyGuid": "{BF0D5FEE-FF2A-4E6B-97DA-A1FC246FE845}",
"PolicyVersion": 2,
"RuleGuid": "{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}",
"BaseRuleGuid": "{158E5AB3-C2D2-4707-A8B0-9CD58950B8E2}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": true,
"UserDecision": false,
"SourceProcessKilled": true
},
"Correlation": {
"PackageGuid": "{C4E948CC-1082-47B9-BE66-10A1B88A3202}",
"PackageVersion": 4
},
"SourceProcess": {
"ProcessImageName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"PID": 5816,
"VolumeZone": 1,
"HashMd5": "04029E121A0CFA5991749937DD22A1D9",
"ProcessStartTimeRaw": 133225860434012095,
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-12288",
"IntegrityLevelNameLookup": "HighMandatoryLevel",
"ProcessCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"",
"ProcessStartTime": "2023-03-06T15:20:43.4012095+01:00",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"CertificateSignatureState": 1,
"IsProtectedOrCritical": false,
"SessionID": 2,
"Certificates": [
{
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2022-12-02T00:08:48.1500000+01:00",
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"ValidityEnd": "2023-05-04T20:23:14.0000000+01:00",
"ValidityStart": "2022-05-05T20:23:14.0000000+01:00"
}
],
"HashSha1": "F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054",
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"HashSha256": "9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"ProcessGuid": "{70FCCA79-9933-4734-8CD6-28AE2E501771}",
"VolumeZoneComputedBitMap": [
"Operating system"
],
"UserNameLookup": "JOHNDOE"
},
"AlteredFileListFilePath": "C:\\ProgramData\\Stormshield\\SESEvolution\\Agent\\Diagnostics\\RansomwareProtection\\encrypted_files2023-03-0615-23-07.txt",
"OverallAlteredFilesCount": 10,
"AlteredFiles": [
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(1).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(1).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(10).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(10).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(11).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(11).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(12).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(12).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(13).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(13).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(14).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(14).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(15).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(15).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(16).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(16).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(17).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(17).txt.jmBrN"
},
{
"SourceFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(18).txt",
"DestinationFilename": "C:\\tmp\\Rans\\TXT\\Fichier-Copie(18).txt.jmBrN"
}
]
}
}
{
"Version": 1,
"Type": 20069,
"TypeComputedMap": "AgentInternalResourcePackageDownloadFailed",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD09591B-3AF8-4605-96DE-64B269B9173E}",
"Timestamp": "2023-06-15T08:40:00.0000000+01:00",
"TimestampRaw": 133232892000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": 5,
"ResourceGuid": "28110024-5807-45eb-9b7b-3aed55cb3f04"
}
}
{
"Version": 1,
"Type": 20070,
"TypeComputedMap": "AgentInternalInvalidResourcePackageSignature",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD018FE1-B276-4EB6-9E00-9A1CE516E02E}",
"Timestamp": "2023-06-15T08:50:00.0000000+01:00",
"TimestampRaw": 133232898000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": 5,
"ResourceGuid": "ce78187e-1062-4075-9bce-d8c92ee2b99e",
"ResourcePackageFile": "C:\\Users\\User1\\Desktop\\EsResource.cab"
}
}
{
"Version": 1,
"Type": 20071,
"TypeComputedMap": "AgentInternalSecOpsInvalidPackageSignature",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0B84DD-18EA-4C30-8D5B-91D288F9368A}",
"Timestamp": "2023-06-15T09:00:00.0000000+01:00",
"TimestampRaw": 133232904000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": 5,
"SecOpsGuid": "b9092244-2249-44bb-ae2d-f9e50a2b0b10",
"SecOpsPackageFile": "C:\\Users\\User1\\Desktop\\SecOpsTask.cab"
}
}
{
"Version": 1,
"Type": 20072,
"TypeComputedMap": "AgentInternalSecOpsInvalidJsonSize",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0E2013-BED1-4DC5-95FB-A881DB5F386A}",
"Timestamp": "2023-06-15T09:10:00.0000000+01:00",
"TimestampRaw": 133232910000000000,
"GenerateIncident": false,
"SpecificData": {
"StatusCode": -1609564141,
"SecOpsGuid": "fbba1fb1-efda-4bba-9929-2d5eae03344e",
"SecOpsPackageFile": "C:\\Users\\User1\\Desktop\\SecOpsTask.cab",
"JsonSize": 10241
}
}
{
"Version": 1,
"Type": 20073,
"TypeComputedMap": "AgentInternalDowngradeWithPivotVersion223IsRequired",
"Severity": 0,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD02148D-0FE6-4428-805C-3B1A58BB1E1D}",
"Timestamp": "2023-06-15T09:20:00.0000000+01:00",
"TimestampRaw": 133232916000000000,
"GenerateIncident": false,
"SpecificData": {}
}
{
"Version": 2,
"Type": 20079,
"TypeComputedMap": "AgentOperationYaraProcessAnalysisMatch",
"Severity": 1,
"ServerReserved": 0,
"Attributes": 2,
"AttributesComputedBitMap": [
"Protection"
],
"EventGuid": "{AD0FD776-0C61-4946-BA0C-185518A0361C}",
"GenerateIncident": false,
"Timestamp": "2023-06-15T01:58:14.4201973+02:00",
"TimestampRaw": 133300870944201973,
"SpecificData": {
"SourceProcess": {
"PID": 5848,
"ProcessGuid": "{36C8E9F1-41B8-44FF-B482-FD11D323D5C7}",
"ProcessImageName": "C:\\Windows\\explorer.exe",
"VolumeZone": 1,
"VolumeZoneComputedBitMap": [
"Operating system"
],
"ProcessCommandLine": "C:\\Windows\\Explorer.EXE",
"User": "S-1-5-21-2222222-33333333-44444444-555",
"UserNameLookup": "JOHNDOE",
"UserDomainLookup": "TEST",
"IntegrityLevel": "S-1-16-8192",
"IntegrityLevelNameLookup": "MediumMandatoryLevel",
"IntegrityLevelDomainLookup": "MandatoryLabel",
"SessionID": 2,
"HashMd5": "C6CD12BF63E9B9B4478E6F975E7C293D",
"HashSha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A",
"HashSha256": "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C",
"IsProtectedOrCritical": false,
"CertificateSignatureState": 1,
"CertificateSignatureStateComputedMap": "SignatureStateTrusted",
"Certificates": [
{
"Algorithm": "SHA256",
"IssuerCN": "MicrosoftWindowsProductionPCA2011",
"SubjectCN": "MicrosoftWindows",
"SigningTime": "2023-01-06T12:27:04.6400000+02:00",
"ValidityStart": "2022-05-05T21:23:15.0000000+02:00",
"ValidityEnd": "2023-05-04T21:23:15.0000000+02:00"
}
],
"ProcessStartTime": "2023-05-31T13:05:25.0959518+02:00",
"ProcessStartTimeRaw": 133300047250959518
},
"Action": {
"PolicyGuid": "{AD3E9A72-739A-4AEF-B62C-DB6A82EB6053}",
"PolicyVersion": 4,
"RuleGuid": "{6D01E214-075E-472C-A56D-3C6042DEA832}",
"BaseRuleGuid": "{CF2EB1A3-0A18-4406-B284-F72A4E21D34F}",
"IdentifierGuid": "{00000000-0000-0000-0000-000000000000}",
"Blocked": false,
"UserDecision": false,
"SourceProcessKilled": false
},
"AnalysisProperties": {
"AnalysisUnitGuid": "{919C4A6A-F381-4D01-A159-34C85152B5DF}",
"Triggers": 8,
"TriggersComputedBitMap": [
"TRIGGER_RULE_EVENT"
],
"AssociatedEventGuid": "{41FD7022-DCDA-4ECE-983D-C780EC4315CA}",
"AssociatedScheduledTaskGuid": "{00000000-0000-0000-0000-000000000000}",
"AssociatedSecOpsGuid": "{00000000-0000-0000-0000-000000000000}",
"AssociatedSecOpsRequestGuid": "{00000000-0000-0000-0000-000000000000}",
"AssociatedBaseRuleGuid": "{BD00BBE6-3264-46D6-A010-AF9419FD7243}",
"AssociatedRuleGuid": "{BD00BBE6-3264-46D6-A010-AF9419FD7245}"
},
"SourceProcessImageFileDetails": {
"FileFullPath": "C:\\Windows\\explorer.exe",
"FileCreateTime": "2023-01-12T10:52:38.2994281+02:00",
"LastModified": "2023-01-12T10:52:38.4088025+02:00",
"Owner": "S-1-5-21-2222222-33333333-44444444-555-2271478464",
"OwnerNameLookup": "TrustedInstaller",
"OwnerDomainLookup": "NTSERVICE",
"HashMd5": "C6CD12BF63E9B9B4478E6F975E7C293D",
"HashSha1": "FE02128E2A9AF073DB5D6B3843469CA87391C22A",
"HashSha256": "E1EA06C6884A2CEB9DD0EFEB788011AB2B17041F1C7438A9555415501E9E374C",
"HashSSDeep": "49152:JFV7+LB3mKxTLHWBwPvfb0xer5TaNFLGO3LL6Y6IEF98C21rf2JGno/n7w8A7/eE:obULwVw8a0cDl"
},
"MatchedYaraRules": [
{
"MatchedRule": "test_yaralib_pe_module_is_pe_rule",
"Tags": [],
"Metadatas": [
{
"MetadataKey": "description",
"MetadataValue": "module_is_pe_rule"
},
{
"MetadataKey": "author",
"MetadataValue": "SESQAManuel"
}
],
"MatchedStrings": []
},
{
"MatchedRule": "test_yaralib_pe_module_is_x64_rule",
"Tags"