Trend Micro Vision One Observed Attack Techniques
Overview
Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. This intake format will ingest Observed Attack Techniques from Trend Micro Vision One.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Supported environment: SaaS
- Detection based on: Alerts
- Supported application or feature:
- Observed Attack Techniques
Configure
How to create an API token
- Log in the Trend Vision One console
-
On the left panel, click
Administrationthen clickAPI keys
-
Click
Add API key
-
Type a name for the API key
- Select the
SIEMrole and an expiration time -
Check
statusto enable the API key
-
Copy the API key and click
Close
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network intrusion detection system |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2022-04-12T23:43:15Z",
"start": "2022-04-12T23:43:15Z",
"type": [
"info"
]
},
"@timestamp": "2020-06-01T02:12:56Z",
"agent": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df"
},
"host": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df",
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"name": "LAB-Luwak-1048",
"os": {
"full": "Windows 10 Enterprise (64 bit) build 19044",
"name": "Windows",
"version": "10.0.19044"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "C:\\Windows\\system32\\sppsvc.exe",
"name": "services.exe",
"parent": {
"command_line": "C:\\Windows\\system32\\services.exe",
"executable": "C:\\Windows\\System32\\services.exe",
"hash": {
"md5": "dac02fbf9bebb39e34afe11bfddf2f83",
"sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08"
},
"pid": 672,
"start": "2022-03-09T11:43:02.237000Z",
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
},
"pid": 3832
},
"related": {
"hash": [
"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08",
"dac02fbf9bebb39e34afe11bfddf2f83"
],
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"user": [
"NETWORK SERVICE"
]
},
"threat": {
"tactic": {
"id": [
"TA0002"
]
},
"technique": {
"subtechnique": {
"id": [
"T1560.002"
]
}
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
}
}
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2024-11-26T16:45:02.571000Z",
"start": "2024-11-26T16:45:02.571000Z",
"type": [
"info"
]
},
"@timestamp": "2024-11-26T16:45:02Z",
"agent": {
"id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb"
},
"group": {
"id": "3927f750-c536-480a-ae9f-d9ede20f4a9e"
},
"host": {
"id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "\"C:\\Windows\\system32\\klist.exe\"",
"name": "powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "fe6a3a98112b13aaad196444afcc041c",
"sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "a377274ae8e84c7e8ff5fd1b3bb9d080",
"sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316",
"sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac"
},
"name": "explorer.exe",
"pid": "9920",
"start": "2024-11-26T16:35:53.785000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 3464
},
"related": {
"hash": [
"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed",
"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"fe6a3a98112b13aaad196444afcc041c"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"user": [
"jdoe"
]
},
"threat": {
"tactic": {
"id": [
"TA0007"
]
},
"technique": {
"id": [
"T1082"
]
}
},
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2024-11-26T16:45:03.446000Z",
"start": "2024-11-26T16:45:01.774000Z",
"type": [
"info"
]
},
"@timestamp": "2024-11-26T16:45:01Z",
"action": {
"properties": {
"ScriptBlockText": [
"\r\n $_.PSParentPath.Replace(\"Microsoft.PowerShell.Core\\FileSystem::\", \"\")\r\n ",
"\r\n [String]::Format(\"{0,10} {1,8}\", $_.LastWriteTime.ToString(\"d\"), $_.LastWriteTime.ToString(\"t\"))\r\n ",
"\r\n if ($_.FullyQualifiedErrorId -ne \"NativeCommandErrorMessage\" -and $ErrorView -ne \"CategoryView\")\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and $myinv.MyCommand)\r\n {\r\n switch -regex ( $myinv.MyCommand.CommandType )\r\n {\r\n ([System.Management.Automation.CommandTypes]::ExternalScript)\r\n {\r\n if ($myinv.MyCommand.Path)\r\n {\r\n $myinv.MyCommand.Path + \" : \"\r\n }\r\n break\r\n }\r\n ([System.Management.Automation.CommandTypes]::Script)\r\n {\r\n if ($myinv.MyCommand.ScriptBlock)\r\n {\r\n $myinv.MyCommand.ScriptBlock.ToString() + \" : \"\r\n }\r\n break\r\n }\r\n default\r\n {\r\n if ($myinv.InvocationName -match '^[&\\.]?$')\r\n {\r\n if ($myinv.MyCommand.Name)\r\n {\r\n $myinv.MyCommand.Name + \" : \"\r\n }\r\n }\r\n else\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n break\r\n }\r\n }\r\n }\r\n elseif ($myinv -and $myinv.InvocationName)\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n }\r\n ",
"\r\n if ($_.FullyQualifiedErrorId -eq \"NativeCommandErrorMessage\") {\r\n $_.Exception.Message \r\n }\r\n else\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\r\n $posmsg = $myinv.PositionMessage\r\n } else {\r\n $posmsg = \"\"\r\n }\r\n \r\n if ($posmsg -ne \"\")\r\n {\r\n $posmsg = \"`n\" + $posmsg\r\n }\r\n \t\t\t\t \r\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\r\n $posmsg = \" : \" + $_.PSMessageDetails + $posmsg \r\n }\r\n\r\n $indent = 4\r\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\r\n\r\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\r\n if ($errorCategoryMsg -ne $null)\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.ErrorCategory_Message\r\n }\r\n else\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.CategoryInfo\r\n }\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $indentString = \"+ FullyQualifiedErrorId : \" + $_.FullyQualifiedErrorId\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\r\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\r\n {\r\n $indentString = \"+ PSComputerName : \" + $originInfo.PSComputerName\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n }\r\n\r\n if ($ErrorView -eq \"CategoryView\") {\r\n $_.CategoryInfo.GetMessage()\r\n }\r\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\r\n $_.Exception.Message + $posmsg + \"`n \"\r\n } else {\r\n $_.ErrorDetails.Message + $posmsg\r\n }\r\n }\r\n ",
"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\r\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\r\n{\r\n return '({0})' -f $_.Length\r\n}\r\nreturn $_.Length",
"{\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }",
"{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }",
"{\n Write-Host $_.FullName\n }",
"{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}",
"{\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\n Write-Host \"$_ Found!\" -ForegroundColor red\n }\n}",
"{\n if (Test-Path $_) {\n Write-Host \"$_ found.\"\n }\n}",
"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }",
"{ Set-StrictMode -Version 1; $_.OriginInfo }",
"{ Set-StrictMode -Version 1; $_.PSMessageDetails }"
]
}
},
"agent": {
"id": "8e53268d-8348-4fd4-a314-b742448960c9"
},
"group": {
"id": "a1c0d757-0961-40a4-8a00-bf9b2922d5de"
},
"host": {
"id": "9567d4bc-ce0b-45cf-b259-138beb4c80c3",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"193.103.164.106"
],
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"name": "powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "bd5cf4568d83088240e3b33f9f9838b1",
"sha1": "b1692a60d67dc55538f9a25ad3874a6a8f6bb089",
"sha256": "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "f8ad78f2ad64799786242d69ef77edd7",
"sha1": "f021ca2dca81ee77aa80467096a804a26cd11364",
"sha256": "f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f"
},
"name": "explorer.exe",
"pid": "9920",
"start": "2024-11-26T16:35:53.785000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
},
"related": {
"hash": [
"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2",
"b1692a60d67dc55538f9a25ad3874a6a8f6bb089",
"bd5cf4568d83088240e3b33f9f9838b1"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"193.103.164.106"
]
},
"threat": {
"tactic": {
"id": [
"TA0005",
"TA0009"
]
},
"technique": {
"id": [
"T1005",
"T1070"
],
"subtechnique": {
"id": [
"T1070.006"
]
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.properties.ScriptBlockText |
keyword |
|
agent.id |
keyword |
Unique identifier of this agent. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
group.id |
keyword |
Unique identifier for the group on the system/platform. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
host.os.full |
keyword |
Operating system name, including the version or code name. |
host.os.name |
keyword |
Operating system name, without the version. |
host.os.version |
keyword |
Operating system version as a raw string. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
process.command_line |
wildcard |
Full command line that started the process. |
process.executable |
keyword |
Absolute path to the process executable. |
process.hash.md5 |
keyword |
MD5 hash. |
process.hash.sha1 |
keyword |
SHA1 hash. |
process.hash.sha256 |
keyword |
SHA256 hash. |
process.name |
keyword |
Process name. |
process.parent.command_line |
wildcard |
Full command line that started the process. |
process.parent.executable |
keyword |
Absolute path to the process executable. |
process.parent.hash.md5 |
keyword |
MD5 hash. |
process.parent.hash.sha1 |
keyword |
SHA1 hash. |
process.parent.hash.sha256 |
keyword |
SHA256 hash. |
process.parent.parent.command_line |
keyword |
|
process.parent.parent.executable |
keyword |
|
process.parent.parent.hash.md5 |
keyword |
|
process.parent.parent.hash.sha1 |
keyword |
|
process.parent.parent.hash.sha256 |
keyword |
|
process.parent.parent.name |
keyword |
|
process.parent.parent.pid |
keyword |
|
process.parent.parent.start |
datetime |
|
process.parent.parent.user.domain |
keyword |
|
process.parent.parent.user.name |
keyword |
|
process.parent.pid |
long |
Process id. |
process.parent.start |
date |
The time the process started. |
process.parent.user.domain |
keyword |
|
process.pid |
long |
Process id. |
threat.tactic.id |
keyword |
Threat tactic id. |
threat.technique.id |
keyword |
Threat technique id. |
threat.technique.subtechnique.id |
keyword |
Threat subtechnique id. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network intrusion detection system |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"filters\": [{\"id\": \"F4231\", \"name\": \"Service Execution via Service Control Manager\", \"description\": \"Service Control Manager (services.exe) has executed a process\", \"mitreTacticIds\": [\"TA0002\"], \"mitreTechniqueIds\": [\"T1560.002\"], \"highlightedObjects\": [{\"type\": \"port\", \"field\": \"objectPort\", \"value\": 443}], \"riskLevel\": \"info\", \"type\": \"custom\"}], \"endpoint\": {\"endpointName\": \"LAB-Luwak-1048\", \"agentGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"ips\": [\"150.183.13.135\", \"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\"]}, \"entityType\": \"endpoint\", \"entityName\": \"desktop 1 (110.205.134.245) or 110.205.134.245 | xxxx@gmail.com | arn:aws:lambda:*:%s:function:%s | k8s_container-8c55678bd-8r7zt_default_c1e0cf9a-47bb-41e7-ad41-bac976462a81_6411 | 6d7d30d2148a | -\", \"detectedDateTime\": \"2020-06-01T02:12:56Z\", \"ingestedDateTime\": \"2020-06-01T02:12:56Z\", \"detail\": {\"eventTime\": \"1649806995000\", \"tags\": [\"MITREV9.T1569.002\", \"XSAE.F4231\"], \"uuid\": \"2d4af1a4-d784-4a91-9634-b0166f9118ef\", \"productCode\": \"xes\", \"filterRiskLevel\": \"info\", \"bitwiseFilterRiskLevel\": 1, \"eventId\": \"1\", \"eventSubId\": 2, \"eventHashId\": \"-7817927890991207527\", \"firstSeen\": \"1649806995000\", \"lastSeen\": \"1649806995000\", \"endpointGuid\": \"b1cde761-16ad-4067-9a57-cbea882915df\", \"endpointHostName\": \"LAB-Luwak-1048\", \"endpointIp\": [\"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e\", \"150.183.13.135\"], \"endpointMacAddress\": [\"00:50:56:89:09:9b\"], \"timezone\": \"UTC+08:00\", \"pname\": \"751\", \"pver\": \"1.2.0.2454\", \"plang\": 1, \"pplat\": 5889, \"osName\": \"Windows\", \"osVer\": \"10.0.19044\", \"osDescription\": \"Windows 10 Enterprise (64 bit) build 19044\", \"osType\": \"0x00000004\", \"processHashId\": \"8149551095598764453\", \"processName\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processPid\": 672, \"sessionId\": 0, \"processUser\": \"SYSTEM\", \"processUserDomain\": \"NT AUTHORITY\", \"processLaunchTime\": \"1646826182237\", \"processCmd\": \"C:\\\\Windows\\\\system32\\\\services.exe\", \"authId\": \"999\", \"integrityLevel\": 16384, \"processFileHashId\": \"-4092577940452904134\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"processFileHashSha1\": \"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e\", \"processFileHashSha256\": \"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08\", \"processFileHashMd5\": \"dac02fbf9bebb39e34afe11bfddf2f83\", \"processSigner\": [\"Microsoft Windows Publisher\"], \"processSignerValid\": [true], \"processFileSize\": \"714856\", \"processFileCreation\": \"1618396713939\", \"processFileModifiedTime\": \"1618396713971\", \"processTrueType\": 7, \"objectHashId\": \"499492567380524547\", \"objectUser\": \"NETWORK SERVICE\", \"objectUserDomain\": \"NT AUTHORITY\", \"objectSessionId\": \"0\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectFileHashSha1\": \"42aeb6f7261c3c0521d19a77d2ea1956d122921f\", \"objectFileHashSha256\": \"be86edb76a659ddb715dbe985013683bf7831736a779178b28240ee74e393c21\", \"objectFileHashMd5\": \"e47a33a58764cd5cb567000035876e1a\", \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectFileSize\": \"4629328\", \"objectFileCreation\": \"1646822883174\", \"objectFileModifiedTime\": \"1646822883393\", \"objectTrueType\": 7, \"objectName\": \"C:\\\\Windows\\\\System32\\\\sppsvc.exe\", \"objectPid\": 3832, \"objectLaunchTime\": \"1649806995010\", \"objectCmd\": \"C:\\\\Windows\\\\system32\\\\sppsvc.exe\", \"objectAuthId\": \"996\", \"objectIntegrityLevel\": 16384, \"objectFileHashId\": \"-4729198244400997661\", \"objectRunAsLocalAccount\": false}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2022-04-12T23:43:15Z",
"start": "2022-04-12T23:43:15Z",
"type": [
"info"
]
},
"@timestamp": "2020-06-01T02:12:56Z",
"agent": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df"
},
"host": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df",
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"name": "LAB-Luwak-1048",
"os": {
"full": "Windows 10 Enterprise (64 bit) build 19044",
"name": "Windows",
"version": "10.0.19044"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "C:\\Windows\\system32\\sppsvc.exe",
"name": "services.exe",
"parent": {
"command_line": "C:\\Windows\\system32\\services.exe",
"executable": "C:\\Windows\\System32\\services.exe",
"hash": {
"md5": "dac02fbf9bebb39e34afe11bfddf2f83",
"sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08"
},
"pid": 672,
"start": "2022-03-09T11:43:02.237000Z",
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
},
"pid": 3832
},
"related": {
"hash": [
"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08",
"dac02fbf9bebb39e34afe11bfddf2f83"
],
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"user": [
"NETWORK SERVICE"
]
},
"threat": {
"tactic": {
"id": [
"TA0002"
]
},
"technique": {
"subtechnique": {
"id": [
"T1560.002"
]
}
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
}
}
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"541ec898-a229-49ae-831a-04f0a8fdb256\", \"detectedDateTime\": \"2024-11-26T16:45:02Z\", \"filters\": [{\"id\": \"F3457\", \"name\": \"Execution of System Discovery Tools\", \"description\": \"Detects the execution of system discovery tools\", \"highlightedObjects\": [{\"field\": \"objectCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\"}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0007\"], \"mitreTechniqueIds\": [\"T1082\"], \"riskLevel\": \"low\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"eventId\": \"1\", \"eventSubId\": 2, \"eventTime\": \"1732639502571\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639502571\", \"groupId\": \"3927f750-c536-480a-ae9f-d9ede20f4a9e\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639502571\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\klist.exe\\\"\", \"objectFileHashMd5\": \"c0ab059977511f3da83329c7562224e0\", \"objectFileHashSha1\": \"a4c1830c1e00779c50626a5ea93b8a54e2e3960b\", \"objectFileHashSha256\": \"f4c3734b96965947a3f42c6509538774bd0ecea110edfcb9f7463c83c90f32a7\", \"objectFilePath\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectHashId\": \"-4153650555873691306\", \"objectIntegrityLevel\": 12288, \"objectName\": \"C:\\\\Windows\\\\System32\\\\klist.exe\", \"objectPid\": 3464, \"objectSigner\": [\"Microsoft Windows\"], \"objectSignerValid\": [true], \"objectTrueType\": 7, \"objectUser\": \"jdoe\", \"objectUserDomain\": \"Windows10\", \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"a377274ae8e84c7e8ff5fd1b3bb9d080\", \"parentFileHashSha1\": \"b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316\", \"parentFileHashSha256\": \"4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"fe6a3a98112b13aaad196444afcc041c\", \"processFileHashSha1\": \"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b\", \"processFileHashSha256\": \"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F3457\", \"MITRE.T1082\"], \"uuid\": \"775a187e-723d-4889-a532-0835e28ab109\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"-1446580424195895092\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"parentSignerFlagsLibValid\": [false], \"objectFileCreation\": \"1728117145131\", \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"objectFileSize\": \"76288\", \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectFileModifiedTime\": \"1728117145131\", \"objectSignerFlagsRuntime\": [false], \"objectSessionId\": \"2\", \"objectRunAsLocalAccount\": false, \"objectSignerFlagsLibValid\": [false], \"objectLaunchTime\": \"1732639502565\", \"objectSignerFlagsAdhoc\": [false], \"objectAuthId\": \"1494147\", \"objectFileHashId\": \"-8054087497998296081\", \"processUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"], \"objectUserGroupSids\": [\"S-1-1-0\", \"S-1-5-114\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,239.144.71.57)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"239.144.71.57\"], \"agentGuid\": \"9f6b89c4-c3b2-4b9f-9401-dae324506ceb\", \"endpointName\": \"Windows10\"}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2024-11-26T16:45:02.571000Z",
"start": "2024-11-26T16:45:02.571000Z",
"type": [
"info"
]
},
"@timestamp": "2024-11-26T16:45:02Z",
"agent": {
"id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb"
},
"group": {
"id": "3927f750-c536-480a-ae9f-d9ede20f4a9e"
},
"host": {
"id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "\"C:\\Windows\\system32\\klist.exe\"",
"name": "powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "fe6a3a98112b13aaad196444afcc041c",
"sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "a377274ae8e84c7e8ff5fd1b3bb9d080",
"sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316",
"sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac"
},
"name": "explorer.exe",
"pid": "9920",
"start": "2024-11-26T16:35:53.785000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 3464
},
"related": {
"hash": [
"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed",
"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"fe6a3a98112b13aaad196444afcc041c"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"user": [
"jdoe"
]
},
"threat": {
"tactic": {
"id": [
"TA0007"
]
},
"technique": {
"id": [
"T1082"
]
}
},
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
{
"message": "{\"source\": \"endpointActivityData\", \"uuid\": \"43483725-969b-4fb8-a453-c2353a9a5e12\", \"detectedDateTime\": \"2024-11-26T16:45:01Z\", \"filters\": [{\"id\": \"F3367\", \"name\": \"Sensitive File Locating via Powershell\", \"description\": \"Locate files deemed sensitive via Powershell\", \"highlightedObjects\": [{\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0009\"], \"mitreTechniqueIds\": [\"T1005\"], \"riskLevel\": \"low\", \"type\": \"preset\"}, {\"id\": \"F1971\", \"name\": \"Modify File Last Modified Timestamp With PowerShell\", \"description\": \"An attempt to modify file's last modified timestamp using Powershell was detected on an endpoint.\", \"highlightedObjects\": [{\"field\": \"processCmd\", \"type\": \"command_line\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \"}, {\"field\": \"processPid\", \"type\": \"process_id\", \"value\": 5040}, {\"field\": \"objectRawDataStr\", \"type\": \"amsi_rawDataStr\", \"value\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"]}, {\"field\": \"parentPid\", \"type\": \"process_id\", \"value\": 9920}, {\"field\": \"parentCmd\", \"type\": \"command_line\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\"}], \"mitreTacticIds\": [\"TA0005\"], \"mitreTechniqueIds\": [\"T1070\", \"T1070.006\"], \"riskLevel\": \"info\", \"type\": \"preset\"}], \"detail\": {\"endpointGuid\": \"9567d4bc-ce0b-45cf-b259-138beb4c80c3\", \"endpointHostName\": \"Windows10\", \"endpointIp\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"eventId\": \"11\", \"eventSubId\": 901, \"eventTime\": \"1732639501774\", \"filterRiskLevel\": \"low\", \"firstSeen\": \"1732639501774\", \"groupId\": \"a1c0d757-0961-40a4-8a00-bf9b2922d5de\", \"integrityLevel\": 12288, \"lastSeen\": \"1732639503446\", \"logReceivedTime\": \"1732639512822\", \"logonUser\": [\"jdoe\"], \"objectAppName\": \"PowerShell_C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe_10.0.19041.1\", \"objectHashId\": \"-1780503710981816722\", \"objectRawDataStr\": [\"\\r\\n if ($_.FullyQualifiedErrorId -ne \\\"NativeCommandErrorMessage\\\" -and $ErrorView -ne \\\"CategoryView\\\")\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and $myinv.MyCommand)\\r\\n {\\r\\n switch -regex ( $myinv.MyCommand.CommandType )\\r\\n {\\r\\n ([System.Management.Automation.CommandTypes]::ExternalScript)\\r\\n {\\r\\n if ($myinv.MyCommand.Path)\\r\\n {\\r\\n $myinv.MyCommand.Path + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n ([System.Management.Automation.CommandTypes]::Script)\\r\\n {\\r\\n if ($myinv.MyCommand.ScriptBlock)\\r\\n {\\r\\n $myinv.MyCommand.ScriptBlock.ToString() + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n default\\r\\n {\\r\\n if ($myinv.InvocationName -match '^[&\\\\.]?$')\\r\\n {\\r\\n if ($myinv.MyCommand.Name)\\r\\n {\\r\\n $myinv.MyCommand.Name + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n break\\r\\n }\\r\\n }\\r\\n }\\r\\n elseif ($myinv -and $myinv.InvocationName)\\r\\n {\\r\\n $myinv.InvocationName + \\\" : \\\"\\r\\n }\\r\\n }\\r\\n \", \"\\r\\n if ($_.FullyQualifiedErrorId -eq \\\"NativeCommandErrorMessage\\\") {\\r\\n $_.Exception.Message \\r\\n }\\r\\n else\\r\\n {\\r\\n $myinv = $_.InvocationInfo\\r\\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\\r\\n $posmsg = $myinv.PositionMessage\\r\\n } else {\\r\\n $posmsg = \\\"\\\"\\r\\n }\\r\\n \\r\\n if ($posmsg -ne \\\"\\\")\\r\\n {\\r\\n $posmsg = \\\"`n\\\" + $posmsg\\r\\n }\\r\\n \\t\\t\\t\\t \\r\\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\\r\\n $posmsg = \\\" : \\\" + $_.PSMessageDetails + $posmsg \\r\\n }\\r\\n\\r\\n $indent = 4\\r\\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\\r\\n\\r\\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\\r\\n if ($errorCategoryMsg -ne $null)\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.ErrorCategory_Message\\r\\n }\\r\\n else\\r\\n {\\r\\n $indentString = \\\"+ CategoryInfo : \\\" + $_.CategoryInfo\\r\\n }\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $indentString = \\\"+ FullyQualifiedErrorId : \\\" + $_.FullyQualifiedErrorId\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n\\r\\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\\r\\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\\r\\n {\\r\\n $indentString = \\\"+ PSComputerName : \\\" + $originInfo.PSComputerName\\r\\n $posmsg += \\\"`n\\\"\\r\\n foreach($line in @($indentString -split \\\"(.{$width})\\\")) { if($line) { $posmsg += (\\\" \\\" * $indent + $line) } }\\r\\n }\\r\\n\\r\\n if ($ErrorView -eq \\\"CategoryView\\\") {\\r\\n $_.CategoryInfo.GetMessage()\\r\\n }\\r\\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\\r\\n $_.Exception.Message + $posmsg + \\\"`n \\\"\\r\\n } else {\\r\\n $_.ErrorDetails.Message + $posmsg\\r\\n }\\r\\n }\\r\\n \", \"{ Set-StrictMode -Version 1; $_.PSMessageDetails }\", \"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }\", \"{ Set-StrictMode -Version 1; $_.OriginInfo }\", \"{\\n Write-Host $_.FullName\\n }\", \"\\r\\n $_.PSParentPath.Replace(\\\"Microsoft.PowerShell.Core\\\\FileSystem::\\\", \\\"\\\")\\r\\n \", \"\\r\\n [String]::Format(\\\"{0,10} {1,8}\\\", $_.LastWriteTime.ToString(\\\"d\\\"), $_.LastWriteTime.ToString(\\\"t\\\"))\\r\\n \", \"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\\r\\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\\r\\n{\\r\\n return '({0})' -f $_.Length\\r\\n}\\r\\nreturn $_.Length\", \"{\\n if (Test-Path $_) {\\n Write-Host \\\"$_ found.\\\"\\n }\\n}\", \"{\\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\\n Write-Host \\\"$_ Found!\\\" -ForegroundColor red\\n }\\n}\", \"{\\n $Drive = $_\\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\\n}\", \"{\\n $path = $_\\n #Exclude files/folders with 'lang' in the name\\n if ($Path.FullName | select-string \\\"(?i).*lang.*\\\") {\\n #Write-Host \\\"$($_.FullName) found!\\\" -ForegroundColor red\\n }\\n if($Path.FullName | Select-String \\\"(?i).:\\\\\\\\.*\\\\\\\\.*Pass.*\\\"){\\n write-host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'pass'\\\"\\n }\\n if($Path.FullName | Select-String \\\".:\\\\\\\\.*\\\\\\\\.*user.*\\\" ){\\n Write-Host -ForegroundColor Blue \\\"$($path.FullName) contains the word 'user' -excluding the 'users' directory\\\"\\n }\\n # If path name ends with common excel extensions\\n elseif ($Path.FullName | Select-String \\\".*\\\\.xls\\\",\\\".*\\\\.xlsm\\\",\\\".*\\\\.xlsx\\\") {\\n if ($ReadExcel -and $Excel) {\\n Search-Excel -Source $Path.FullName -SearchText \\\"user\\\"\\n Search-Excel -Source $Path.FullName -SearchText \\\"pass\\\"\\n }\\n }\\n else {\\n if ($path.Length -gt 0) {\\n # Write-Host -ForegroundColor Blue \\\"Path name matches extension search: $path\\\"\\n }\\n if ($path.FullName | Select-String \\\"(?i).*SiteList\\\\.xml\\\") {\\n Write-Host \\\"Possible MCaffee Site List Found: $($_.FullName)\\\"\\n Write-Host \\\"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\\\" -ForegroundColor Yellow\\n }\\n $regexSearch.keys | ForEach-Object {\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\\n } \\n }\", \"{\\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\\n if ($passwordFound) {\\n Write-Host \\\"Possible Password found: $_\\\" -ForegroundColor Yellow\\n Write-Host $Path.FullName\\n Write-Host -ForegroundColor Blue \\\"$_ triggered\\\"\\n Write-Host $passwordFound -ForegroundColor Red\\n }\\n }\"], \"osDescription\": \"Windows 10 Pro (64 bit) build 19045\", \"parentCmd\": \"C:\\\\Windows\\\\Explorer.EXE\", \"parentFileHashId\": \"1767110345653159701\", \"parentFileHashMd5\": \"f8ad78f2ad64799786242d69ef77edd7\", \"parentFileHashSha1\": \"f021ca2dca81ee77aa80467096a804a26cd11364\", \"parentFileHashSha256\": \"f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f\", \"parentFilePath\": \"C:\\\\Windows\\\\explorer.exe\", \"parentHashId\": \"999588025188847480\", \"parentIntegrityLevel\": 12288, \"parentLaunchTime\": \"1732638953785\", \"parentName\": \"C:\\\\Windows\\\\explorer.exe\", \"parentPid\": 9920, \"parentSigner\": [\"Microsoft Windows\"], \"parentSignerValid\": [true], \"parentTrueType\": 7, \"parentUser\": \"jdoe\", \"parentUserDomain\": \"Windows10\", \"pname\": \"751\", \"processCmd\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"processFileHashId\": \"-4900073020808934214\", \"processFileHashMd5\": \"bd5cf4568d83088240e3b33f9f9838b1\", \"processFileHashSha1\": \"b1692a60d67dc55538f9a25ad3874a6a8f6bb089\", \"processFileHashSha256\": \"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2\", \"processFilePath\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processHashId\": \"-5529997575794356190\", \"processLaunchTime\": \"1732639075967\", \"processName\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"processPid\": 5040, \"processSigner\": [\"Microsoft Windows\"], \"processSignerValid\": [true], \"processTrueType\": 7, \"processUser\": \"jdoe\", \"processUserDomain\": \"Windows10\", \"productCode\": \"xes\", \"tags\": [\"XSAE.F1971\", \"XSAE.F3367\", \"MITRE.T1005\", \"MITRE.T1070.006\", \"MITRE.T1070\"], \"uuid\": \"b2ece961-6eed-43f1-8890-a8d926840049\", \"plang\": 1, \"pver\": \"1.2.0.5608\", \"processSignerFlagsLibValid\": [false], \"eventHashId\": \"7588760429245659303\", \"processFileSize\": \"212992\", \"eventSourceType\": 1, \"processSignerFlagsAdhoc\": [false], \"objectFirstSeen\": \"1732639501774\", \"processFileModifiedTime\": \"1575651900000\", \"pplat\": 5889, \"processSignerFlagsRuntime\": [false], \"timezone\": \"UTC+00:00\", \"osVer\": \"10.0.19045\", \"authId\": \"1494147\", \"endpointMacAddress\": [\"8f:86:c0:d8:9d:ad\"], \"osType\": \"0x00000030\", \"processFileCreation\": \"1575712305614\", \"userDomain\": [\"Windows10\"], \"sessionId\": 2, \"osName\": \"Windows\", \"objectLastSeen\": \"1732639503446\", \"parentSignerFlagsLibValid\": [false], \"parentFileCreation\": \"1728117061706\", \"parentSessionId\": 2, \"parentFileModifiedTime\": \"1728117061831\", \"parentSignerFlagsAdhoc\": [false], \"parentAuthId\": \"1494147\", \"parentSignerFlagsRuntime\": [false], \"parentFileSize\": \"5845320\", \"objectSessionId\": \"19746\", \"objectRawDataSize\": [\"2995\", \"3802\", \"50\", \"55\", \"44\", \"32\", \"169\", \"169\", \"170\", \"56\", \"107\", \"1848\", \"1719\", \"411\"]}, \"ingestedDateTime\": \"2024-11-26T16:45:25Z\", \"entityType\": \"endpoint\", \"entityName\": \"Windows10(1802:d896:65fe:0b84:742d:0615:f69b:6600,193.103.164.106)\", \"endpoint\": {\"ips\": [\"1802:d896:65fe:0b84:742d:0615:f69b:6600\", \"193.103.164.106\"], \"agentGuid\": \"8e53268d-8348-4fd4-a314-b742448960c9\", \"endpointName\": \"Windows10\"}}",
"event": {
"category": [
"intrusion_detection"
],
"end": "2024-11-26T16:45:03.446000Z",
"start": "2024-11-26T16:45:01.774000Z",
"type": [
"info"
]
},
"@timestamp": "2024-11-26T16:45:01Z",
"action": {
"properties": {
"ScriptBlockText": [
"\r\n $_.PSParentPath.Replace(\"Microsoft.PowerShell.Core\\FileSystem::\", \"\")\r\n ",
"\r\n [String]::Format(\"{0,10} {1,8}\", $_.LastWriteTime.ToString(\"d\"), $_.LastWriteTime.ToString(\"t\"))\r\n ",
"\r\n if ($_.FullyQualifiedErrorId -ne \"NativeCommandErrorMessage\" -and $ErrorView -ne \"CategoryView\")\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and $myinv.MyCommand)\r\n {\r\n switch -regex ( $myinv.MyCommand.CommandType )\r\n {\r\n ([System.Management.Automation.CommandTypes]::ExternalScript)\r\n {\r\n if ($myinv.MyCommand.Path)\r\n {\r\n $myinv.MyCommand.Path + \" : \"\r\n }\r\n break\r\n }\r\n ([System.Management.Automation.CommandTypes]::Script)\r\n {\r\n if ($myinv.MyCommand.ScriptBlock)\r\n {\r\n $myinv.MyCommand.ScriptBlock.ToString() + \" : \"\r\n }\r\n break\r\n }\r\n default\r\n {\r\n if ($myinv.InvocationName -match '^[&\\.]?$')\r\n {\r\n if ($myinv.MyCommand.Name)\r\n {\r\n $myinv.MyCommand.Name + \" : \"\r\n }\r\n }\r\n else\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n break\r\n }\r\n }\r\n }\r\n elseif ($myinv -and $myinv.InvocationName)\r\n {\r\n $myinv.InvocationName + \" : \"\r\n }\r\n }\r\n ",
"\r\n if ($_.FullyQualifiedErrorId -eq \"NativeCommandErrorMessage\") {\r\n $_.Exception.Message \r\n }\r\n else\r\n {\r\n $myinv = $_.InvocationInfo\r\n if ($myinv -and ($myinv.MyCommand -or ($_.CategoryInfo.Category -ne 'ParserError'))) {\r\n $posmsg = $myinv.PositionMessage\r\n } else {\r\n $posmsg = \"\"\r\n }\r\n \r\n if ($posmsg -ne \"\")\r\n {\r\n $posmsg = \"`n\" + $posmsg\r\n }\r\n \t\t\t\t \r\n if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails } ) {\r\n $posmsg = \" : \" + $_.PSMessageDetails + $posmsg \r\n }\r\n\r\n $indent = 4\r\n $width = $host.UI.RawUI.BufferSize.Width - $indent - 2\r\n\r\n $errorCategoryMsg = & { Set-StrictMode -Version 1; $_.ErrorCategory_Message }\r\n if ($errorCategoryMsg -ne $null)\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.ErrorCategory_Message\r\n }\r\n else\r\n {\r\n $indentString = \"+ CategoryInfo : \" + $_.CategoryInfo\r\n }\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $indentString = \"+ FullyQualifiedErrorId : \" + $_.FullyQualifiedErrorId\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n\r\n $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo }\r\n if (($originInfo -ne $null) -and ($originInfo.PSComputerName -ne $null))\r\n {\r\n $indentString = \"+ PSComputerName : \" + $originInfo.PSComputerName\r\n $posmsg += \"`n\"\r\n foreach($line in @($indentString -split \"(.{$width})\")) { if($line) { $posmsg += (\" \" * $indent + $line) } }\r\n }\r\n\r\n if ($ErrorView -eq \"CategoryView\") {\r\n $_.CategoryInfo.GetMessage()\r\n }\r\n elseif (! $_.ErrorDetails -or ! $_.ErrorDetails.Message) {\r\n $_.Exception.Message + $posmsg + \"`n \"\r\n } else {\r\n $_.ErrorDetails.Message + $posmsg\r\n }\r\n }\r\n ",
"if ($_ -is [System.IO.DirectoryInfo]) { return '' }\r\nif ($_.Attributes -band [System.IO.FileAttributes]::Offline)\r\n{\r\n return '({0})' -f $_.Length\r\n}\r\nreturn $_.Length",
"{\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }",
"{\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }",
"{\n Write-Host $_.FullName\n }",
"{\n $Drive = $_\n Get-ChildItem $Drive -Recurse -Include $fileExtensions -ErrorAction SilentlyContinue -Force | ForEach-Object {\n $path = $_\n #Exclude files/folders with 'lang' in the name\n if ($Path.FullName | select-string \"(?i).*lang.*\") {\n #Write-Host \"$($_.FullName) found!\" -ForegroundColor red\n }\n if($Path.FullName | Select-String \"(?i).:\\\\.*\\\\.*Pass.*\"){\n write-host -ForegroundColor Blue \"$($path.FullName) contains the word 'pass'\"\n }\n if($Path.FullName | Select-String \".:\\\\.*\\\\.*user.*\" ){\n Write-Host -ForegroundColor Blue \"$($path.FullName) contains the word 'user' -excluding the 'users' directory\"\n }\n # If path name ends with common excel extensions\n elseif ($Path.FullName | Select-String \".*\\.xls\",\".*\\.xlsm\",\".*\\.xlsx\") {\n if ($ReadExcel -and $Excel) {\n Search-Excel -Source $Path.FullName -SearchText \"user\"\n Search-Excel -Source $Path.FullName -SearchText \"pass\"\n }\n }\n else {\n if ($path.Length -gt 0) {\n # Write-Host -ForegroundColor Blue \"Path name matches extension search: $path\"\n }\n if ($path.FullName | Select-String \"(?i).*SiteList\\.xml\") {\n Write-Host \"Possible MCaffee Site List Found: $($_.FullName)\"\n Write-Host \"Just going to leave this here: https://github.com/funoverip/mcafee-sitelist-pwd-decryption\" -ForegroundColor Yellow\n }\n $regexSearch.keys | ForEach-Object {\n $passwordFound = Get-Content $path.FullName -ErrorAction SilentlyContinue -Force | Select-String $regexSearch[$_] -Context 1, 1\n if ($passwordFound) {\n Write-Host \"Possible Password found: $_\" -ForegroundColor Yellow\n Write-Host $Path.FullName\n Write-Host -ForegroundColor Blue \"$_ triggered\"\n Write-Host $passwordFound -ForegroundColor Red\n }\n }\n } \n }\n}",
"{\n if (Test-Path $_ -ErrorAction SilentlyContinue) {\n Write-Host \"$_ Found!\" -ForegroundColor red\n }\n}",
"{\n if (Test-Path $_) {\n Write-Host \"$_ found.\"\n }\n}",
"{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }",
"{ Set-StrictMode -Version 1; $_.OriginInfo }",
"{ Set-StrictMode -Version 1; $_.PSMessageDetails }"
]
}
},
"agent": {
"id": "8e53268d-8348-4fd4-a314-b742448960c9"
},
"group": {
"id": "a1c0d757-0961-40a4-8a00-bf9b2922d5de"
},
"host": {
"id": "9567d4bc-ce0b-45cf-b259-138beb4c80c3",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"193.103.164.106"
],
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"name": "powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "bd5cf4568d83088240e3b33f9f9838b1",
"sha1": "b1692a60d67dc55538f9a25ad3874a6a8f6bb089",
"sha256": "4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "f8ad78f2ad64799786242d69ef77edd7",
"sha1": "f021ca2dca81ee77aa80467096a804a26cd11364",
"sha256": "f2e4604dfae18859b13a4efee601df6937e99dd96251c11205c30022b308868f"
},
"name": "explorer.exe",
"pid": "9920",
"start": "2024-11-26T16:35:53.785000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
},
"related": {
"hash": [
"4388c298be8260741724ebf8b414ca063247d6a0d5d5aa5318f90edda3189cd2",
"b1692a60d67dc55538f9a25ad3874a6a8f6bb089",
"bd5cf4568d83088240e3b33f9f9838b1"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"193.103.164.106"
]
},
"threat": {
"tactic": {
"id": [
"TA0005",
"TA0009"
]
},
"technique": {
"id": [
"T1005",
"T1070"
],
"subtechnique": {
"id": [
"T1070.006"
]
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
action.properties.ScriptBlockText |
keyword |
|
agent.id |
keyword |
Unique identifier of this agent. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
group.id |
keyword |
Unique identifier for the group on the system/platform. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.name |
keyword |
Name of the host. |
host.os.full |
keyword |
Operating system name, including the version or code name. |
host.os.name |
keyword |
Operating system name, without the version. |
host.os.version |
keyword |
Operating system version as a raw string. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
process.command_line |
wildcard |
Full command line that started the process. |
process.executable |
keyword |
Absolute path to the process executable. |
process.hash.md5 |
keyword |
MD5 hash. |
process.hash.sha1 |
keyword |
SHA1 hash. |
process.hash.sha256 |
keyword |
SHA256 hash. |
process.name |
keyword |
Process name. |
process.parent.command_line |
wildcard |
Full command line that started the process. |
process.parent.executable |
keyword |
Absolute path to the process executable. |
process.parent.hash.md5 |
keyword |
MD5 hash. |
process.parent.hash.sha1 |
keyword |
SHA1 hash. |
process.parent.hash.sha256 |
keyword |
SHA256 hash. |
process.parent.parent.command_line |
keyword |
|
process.parent.parent.executable |
keyword |
|
process.parent.parent.hash.md5 |
keyword |
|
process.parent.parent.hash.sha1 |
keyword |
|
process.parent.parent.hash.sha256 |
keyword |
|
process.parent.parent.name |
keyword |
|
process.parent.parent.pid |
keyword |
|
process.parent.parent.start |
datetime |
|
process.parent.parent.user.domain |
keyword |
|
process.parent.parent.user.name |
keyword |
|
process.parent.pid |
long |
Process id. |
process.parent.start |
date |
The time the process started. |
process.parent.user.domain |
keyword |
|
process.pid |
long |
Process id. |
threat.tactic.id |
keyword |
Threat tactic id. |
threat.technique.id |
keyword |
Threat technique id. |
threat.technique.subtechnique.id |
keyword |
Threat subtechnique id. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.