1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="unknown", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="unknown"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="unknown", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="unknown"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="ATTACKRANGE\\Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="ATTACKRANGE\\Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:49", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="ATTACKRANGE\\Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:49", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="ATTACKRANGE\\Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743391, search_name="ESCU - Processes launching netsh - Rule", analyticstories="Azorult", analyticstories="DHS Report TA18-074A", analyticstories="Disabling Security Tools", analyticstories="Netsh Abuse", annotations="{\"analytic_story\":[\"Netsh Abuse\",\"Disabling Security Tools\",\"DHS Report TA18-074A\",\"Azorult\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":20,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.004\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DHS Report TA18-074A", annotations._all="Disabling Security Tools", annotations._all="CIS 10", annotations._all="DE.AE", annotations._all="Azorult", annotations._all="Netsh Abuse", annotations._all="Exploitation", annotations._all="T1562.004", annotations._all="T1562", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Netsh Abuse", annotations.analytic_story="Disabling Security Tools", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.004", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743388.768773000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_name="cmd.exe", process="netsh  advfirewall set currentprofile state off", process="netsh  firewall set opmode mode=disable", process_name="netsh.exe", risk_message="A process netsh.exe has launched netsh with command-line netsh  advfirewall set currentprofile state off netsh  firewall set opmode mode=disable on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="14.0", savedsearch_description="This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.", user="Administrator"
1686743381, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Azorult", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="XMRig", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743375.678635000", lastTime="2023-06-14T11:37:21", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x175c", process_id="0x179c", process_id="5980", process_id="6044", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686743381, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Azorult", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="XMRig", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743375.678635000", lastTime="2023-06-14T11:37:21", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x175c", process_id="0x179c", process_id="5980", process_id="6044", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686743355, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="T1222", annotations._all="Ransomware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743348.190930000", lastTime="2023-06-14T11:31:44", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls   /grant test ZELMA_HENDERSON", process_id="0x1304", process_id="4868", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686743355, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="T1222", annotations._all="Ransomware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743348.190930000", lastTime="2023-06-14T11:31:44", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls   /grant test ZELMA_HENDERSON", process_id="0x1304", process_id="4868", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686743355, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="T1222", annotations._all="Ransomware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:30:47", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743348.190930000", lastTime="2023-06-14T11:30:47", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="4868", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686743355, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="T1222", annotations._all="Ransomware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:30:47", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743348.190930000", lastTime="2023-06-14T11:30:47", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="4868", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0xa20", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0xf68", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0xa20", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0xf68", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x11d8", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0xdcc", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x11d8", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0xdcc", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0xa20", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x172c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0xa20", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x172c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:44", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x11d8", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x121c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:44", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x11d8", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x121c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="2592", process="netsh  firewall set opmode mode=disable", process_id="3944", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="2592", process="netsh  firewall set opmode mode=disable", process_id="3944", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="2592", process="netsh  advfirewall set currentprofile state off", process_id="5932", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:45", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="2592", process="netsh  advfirewall set currentprofile state off", process_id="5932", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="4568", process="netsh  firewall set opmode mode=disable", process_id="3532", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="4568", process="netsh  firewall set opmode mode=disable", process_id="3532", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:44", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="4568", process="netsh  advfirewall set currentprofile state off", process_id="4636", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:44", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:44", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="4568", process="netsh  advfirewall set currentprofile state off", process_id="4636", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4568", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:48", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4568", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="unknown", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="3944", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="3944", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5932", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:31:48", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5932", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:49", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:49", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="3532", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:49", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:49", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="3532", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:45", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4636", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743220, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="DE.AE", annotations._all="CIS 10", annotations._all="Exploitation", annotations._all="T1562.001", annotations._all="T1562", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743215.028098000", lastTime="2023-06-14T11:37:45", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4636", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686743132, search_name="ESCU - Windows Create Local Account - Rule", action="created", annotations="{\"analytic_story\":[\"Account Monitoring and Controls\"],\"cis20\":[\"CIS 10\"],\"confidence\":90,\"impact\":20,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="T1136.001", annotations._all="Installation", annotations._all="Account Monitoring and Controls", annotations._all="T1136", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Account Monitoring and Controls", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743127.121934000", lastTime="2023-06-14T11:37:32", result="account was created", result_id="4720", risk_message="The following art-test1 was added to ar-win-dc.attackrange.local as a local account.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="18.0", savedsearch_description="The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", user="art-test1"
1686743132, search_name="ESCU - Windows Create Local Account - Rule", action="created", annotations="{\"analytic_story\":[\"Account Monitoring and Controls\"],\"cis20\":[\"CIS 10\"],\"confidence\":90,\"impact\":20,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="T1136.001", annotations._all="Installation", annotations._all="Account Monitoring and Controls", annotations._all="T1136", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Account Monitoring and Controls", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743127.121934000", lastTime="2023-06-14T11:37:32", result="account was created", result_id="4720", risk_message="The following art-test1 was added to ar-win-dc.attackrange.local as a local account.", risk_object="art-test1", risk_object_type="user", risk_score="18.0", savedsearch_description="The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", user="art-test1"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process="unknown", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process="unknown", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="ar-win-dc", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process="unknown", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="unknown", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process="unknown", process="net  localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", process="net  localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test1 /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net1.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test1 /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test1 /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="net  localgroup administrators art-test1 /add", parent_process="unknown", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="net1.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="net  localgroup administrators art-test1 /add", parent_process="unknown", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="ar-win-dc", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="net  localgroup administrators art-test1 /add", parent_process="unknown", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="unknown", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:48", parent_process="net  localgroup administrators art-test1 /add", parent_process="unknown", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator unknown attempting to add a user to the local Administrators group.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator", user="unknown"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net1.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\net.exe", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="net1.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:48", parent_process="net  localgroup administrators art-test /add", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_name="net1.exe", risk_message="An instance of  spawning net1.exe was identified on endpoint ar-win-dc by user ATTACKRANGE\\Administrator attempting to add a user to the local Administrators group.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="ATTACKRANGE\\Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:37:39", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test1 /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="net.exe", risk_object_type="other", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743117, search_name="ESCU - Create local admin accounts using net exe - Rule", analyticstories="Azorult", analyticstories="CISA AA22-257A", analyticstories="DHS Report TA18-074A", annotations="{\"analytic_story\":[\"DHS Report TA18-074A\",\"Azorult\",\"CISA AA22-257A\"],\"cis20\":[\"CIS 10\"],\"confidence\":60,\"impact\":50,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="DHS Report TA18-074A", annotations._all="T1136.001", annotations._all="CISA AA22-257A", annotations._all="T1136", annotations._all="Installation", annotations._all="CIS 10", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DHS Report TA18-074A", annotations.analytic_story="Azorult", annotations.analytic_story="CISA AA22-257A", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743110.525385000", lastTime="2023-06-14T11:31:45", parent_process="C:\\Windows\\System32\\cmd.exe", process="C:\\Windows\\System32\\net.exe localgroup administrators art-test /add", process_name="net.exe", risk_message="An instance of  spawning net.exe was identified on endpoint ar-win-dc.attackrange.local by user Administrator attempting to add a user to the local Administrators group.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="This search looks for the creation of local administrator accounts using net.exe .", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="5736", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="5736", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="5736", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="5736", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:48", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5488", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:48", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5488", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:48", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5488", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:48", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5488", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:33", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:33", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:33", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:33", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:33", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:33", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:33", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:33", original_file_name="net1.exe", parent_process="net  user art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="6068", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="4340", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test1 /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="5644", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:48", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="5028", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="0x17b4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="0x17b4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="0x17b4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:32", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:32", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test1 /add", process_id="0x17b4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="0x160c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="0x160c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="0x160c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:39", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:37:39", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test1 /add", process_id="0x160c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x13a4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x13a4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x13a4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x13a4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x10f4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x10f4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x10f4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686743042, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:45", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686743037.521091000", lastTime="2023-06-14T11:31:45", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x10f4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:46", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:31:46", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0xa20", process="C:\\Windows\\System32\\shutdown.exe /s /t 0", process_id="0xb24", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:54", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:37:54", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x11d8", process="C:\\Windows\\System32\\shutdown.exe /s /t 0", process_id="0x1674", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:31:46", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:31:46", original_file_name="SHUTDOWN.EXE", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="2592", process="shutdown  /s /t 0", process_id="2852", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:37:54", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:37:54", original_file_name="SHUTDOWN.EXE", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="4568", process="shutdown  /s /t 0", process_id="5748", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc", firstTime="2023-06-14T11:31:48", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:31:48", original_file_name="SHUTDOWN.EXE", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="shutdown  /s /t 0", process_id="2852", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="ATTACKRANGE\\Administrator"
1686742822, search_name="ESCU - Windows System Shutdown CommandLine - Rule", analyticstories="DarkCrystal RAT", annotations="{\"analytic_story\":[\"DarkCrystal RAT\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Actions on Objectives\"],\"mitre_attack\":[\"T1529\"],\"nist\":[\"DE.AE\"]}", annotations._all="DarkCrystal RAT", annotations._all="CIS 10", annotations._all="Actions on Objectives", annotations._all="T1529", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="DarkCrystal RAT", annotations.cis20="CIS 10", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1529", annotations.nist="DE.AE", dest="ar-win-dc", firstTime="2023-06-14T11:37:49", info_max_time="1686742800.000000000", info_min_time="1686742200.000000000", info_search_time="1686742815.066472000", lastTime="2023-06-14T11:37:49", original_file_name="SHUTDOWN.EXE", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="shutdown  /s /t 0", process_id="5748", process_name="shutdown.exe", risk_message="Process shutdown.exe seen to execute shutdown via commandline on ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="The following analytic identifies Windows commandline to shutdown a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to shutdown a machine.", user="ATTACKRANGE\\Administrator"
1686742781, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Azorult", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="XMRig", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:25:04", info_max_time="1686742200.000000000", info_min_time="1686741600.000000000", info_search_time="1686742776.118687000", lastTime="2023-06-14T11:25:04", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x1274", process_id="4724", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686742781, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Azorult", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="XMRig", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:25:04", info_max_time="1686742200.000000000", info_min_time="1686741600.000000000", info_search_time="1686742776.118687000", lastTime="2023-06-14T11:25:04", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x1274", process_id="4724", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686742180, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="Azorult", annotations._all="CIS 10", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:16:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742175.040681000", lastTime="2023-06-14T11:16:33", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x15b4", process_id="5556", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686742180, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="Azorult", annotations._all="CIS 10", annotations._all="T1222", annotations._all="DE.CM", annotations._all="Sandworm Tools", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:16:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742175.040681000", lastTime="2023-06-14T11:16:33", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x15b4", process_id="5556", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:33", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1468", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0x1608", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:33", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1468", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0x1608", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:27", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1468", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x1328", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:27", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1468", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x1328", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:33", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="5224", process="netsh  firewall set opmode mode=disable", process_id="5640", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:33", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:33", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="5224", process="netsh  firewall set opmode mode=disable", process_id="5640", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:27", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="5224", process="netsh  advfirewall set currentprofile state off", process_id="4904", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:27", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\"", parent_process_id="5224", process="netsh  advfirewall set currentprofile state off", process_id="4904", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:35", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:35", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5224", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:35", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:35", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5224", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="unknown", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:35", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:35", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5224", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:35", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:35", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5224", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="unknown", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:28", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:28", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5640", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:28", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:28", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5640", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:28", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:28", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4904", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686742020, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="Windows Defense Evasion Tactics", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="Exploitation", annotations._all="T1562", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:28", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686742014.978798000", lastTime="2023-06-14T11:11:28", original_file_name="netsh.exe", parent_process="\"C:\\Windows\\system32\\cmd.exe\" ", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="4904", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:27", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4828", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:27", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4828", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:27", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4828", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:27", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:27", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4828", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1356", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1356", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1356", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1356", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5460", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:11:17", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:17", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="4952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1554", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1554", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1554", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:14", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:14", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1554", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1358", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1358", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1358", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741843, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="FIN7", annotations._all="CIS 10", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Installation", annotations._all="T1059", annotations._all="Qakbot", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:11:20", info_max_time="1686741600.000000000", info_min_time="1686741000.000000000", info_search_time="1686741838.041667000", lastTime="2023-06-14T11:11:20", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1358", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741580, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="T1222", annotations._all="Sandworm Tools", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741575.801079000", lastTime="2023-06-14T11:05:51", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x1714", process_id="0xc64", process_id="3172", process_id="5908", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686741580, search_name="ESCU - Icacls Deny Command - Rule", analyticstories="Azorult", analyticstories="Sandworm Tools", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Azorult\",\"Sandworm Tools\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="XMRig", annotations._all="T1222", annotations._all="Sandworm Tools", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Exploitation", annotations._all="Azorult", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Azorult", annotations.analytic_story="Sandworm Tools", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741575.801079000", lastTime="2023-06-14T11:05:51", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /deny test ZELMA_HENDERSON", process="cacls   /deny test ZELMA_HENDERSON", process_id="0x1714", process_id="0xc64", process_id="3172", process_id="5908", process_name="cacls.exe", risk_message="Process name cacls.exe with deny argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="72.0", savedsearch_description="This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.", user="Administrator"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:51", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls   /grant test ZELMA_HENDERSON", process_id="0x16e8", process_id="0x1740", process_id="5864", process_id="5952", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="4", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:51", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls   /grant test ZELMA_HENDERSON", process_id="0x16e8", process_id="0x1740", process_id="5864", process_id="5952", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:54", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="5812", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by unknown to change security permission of a specific file or directory on host ar-win-dc", risk_object="unknown", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="unknown"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:54", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="5812", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by unknown to change security permission of a specific file or directory on host ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="unknown"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:43", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="5864", process_id="5952", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686741554, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Ransomware", annotations._all="Exploitation", annotations._all="T1222", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741550.353979000", lastTime="2023-06-14T11:05:43", parent_process_name="cmd.exe", process="cacls   /grant test ZELMA_HENDERSON", process_id="5864", process_id="5952", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="5812", process="netsh  firewall set opmode mode=disable", process_id="5044", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="5812", process="netsh  firewall set opmode mode=disable", process_id="5044", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:52", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="5812", process="netsh  advfirewall set currentprofile state off", process_id="6056", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:52", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="5812", process="netsh  advfirewall set currentprofile state off", process_id="6056", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x16b4", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0x13b4", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x16b4", process="C:\\Windows\\System32\\netsh.exe firewall set opmode mode=disable", process_id="0x13b4", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x14d0", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0xe8c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x14d0", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0xe8c", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x16b4", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x17a8", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x16b4", process="C:\\Windows\\System32\\netsh.exe advfirewall set currentprofile state off", process_id="0x17a8", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="5328", process="netsh  advfirewall set currentprofile state off", process_id="3724", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="5328", process="netsh  advfirewall set currentprofile state off", process_id="3724", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc.attackrange.local by Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5812", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="unknown", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="5812", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by unknown.", risk_object="unknown", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="unknown"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5044", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="null", process="netsh  firewall set opmode mode=disable", process_id="5044", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="6056", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:05:54", original_file_name="netsh.exe", parent_process="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Temp\\1.bat\" \"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="6056", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="3724", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ar-win-dc", risk_object_type="system", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741420, search_name="ESCU - Disabling Firewall with Netsh - Rule", analyticstories="Windows Defense Evasion Tactics", annotations="{\"analytic_story\":[\"Windows Defense Evasion Tactics\"],\"cis20\":[\"CIS 10\"],\"confidence\":50,\"impact\":50,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1562.001\",\"T1562\"],\"nist\":[\"DE.AE\"]}", annotations._all="T1562", annotations._all="Exploitation", annotations._all="CIS 10", annotations._all="T1562.001", annotations._all="DE.AE", annotations._all="Windows Defense Evasion Tactics", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Windows Defense Evasion Tactics", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1562.001", annotations.mitre_attack="T1562", annotations.nist="DE.AE", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741415.282926000", lastTime="2023-06-14T11:01:25", original_file_name="netsh.exe", parent_process="\"cmd.exe\" /s /k pushd \"C:\\Temp\"", parent_process_id="null", process="netsh  advfirewall set currentprofile state off", process_id="3724", process_name="netsh.exe", risk_message="The Windows Firewall was disabled on ar-win-dc by ATTACKRANGE\\Administrator.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="25.0", savedsearch_description="This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.", user="ATTACKRANGE\\Administrator"
1686741332, search_name="ESCU - Windows Create Local Account - Rule", action="created", annotations="{\"analytic_story\":[\"Account Monitoring and Controls\"],\"cis20\":[\"CIS 10\"],\"confidence\":90,\"impact\":20,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Account Monitoring and Controls", annotations._all="T1136.001", annotations._all="DE.AE", annotations._all="T1136", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Account Monitoring and Controls", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741326.913706000", lastTime="2023-06-14T11:01:25", result="account was created", result_id="4720", risk_message="The following art-test was added to ar-win-dc.attackrange.local as a local account.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="18.0", savedsearch_description="The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", user="art-test"
1686741332, search_name="ESCU - Windows Create Local Account - Rule", action="created", annotations="{\"analytic_story\":[\"Account Monitoring and Controls\"],\"cis20\":[\"CIS 10\"],\"confidence\":90,\"impact\":20,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1136.001\",\"T1136\"],\"nist\":[\"DE.AE\"]}", annotations._all="CIS 10", annotations._all="Account Monitoring and Controls", annotations._all="T1136.001", annotations._all="DE.AE", annotations._all="T1136", annotations._all="Installation", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Account Monitoring and Controls", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1136.001", annotations.mitre_attack="T1136", annotations.nist="DE.AE", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741326.913706000", lastTime="2023-06-14T11:01:25", result="account was created", result_id="4720", risk_message="The following art-test was added to ar-win-dc.attackrange.local as a local account.", risk_object="art-test", risk_object_type="user", risk_score="18.0", savedsearch_description="The following analytic identifies a new local user account added to a computer. Note that, this should be restricted to critical assets.", user="art-test"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6016", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6016", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6016", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6016", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="unknown", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5952", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="unknown"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="5988", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  user art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="1584", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:05:54", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:54", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="6036", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="net1.exe", parent_process="net  localgroup administrators art-test /add", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="2740", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="ATTACKRANGE\\Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0xab4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0xab4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0xab4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:25", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:25", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0xab4", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x630", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x630", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x630", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:01:24", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:01:24", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x630", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1794", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1794", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1794", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  localgroup administrators art-test /add", process_id="0x1794", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1764", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1764", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1764", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686741244, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="T1059.007", annotations._all="Installation", annotations._all="Qakbot", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="T1059", annotations._all="FIN7", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T11:05:52", info_max_time="1686741000.000000000", info_min_time="1686740400.000000000", info_search_time="1686741238.459499000", lastTime="2023-06-14T11:05:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user art-test /add", process_id="0x1764", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:43", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:43", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls  /grant test ZELMA_HENDERSON", process_id="0x61c", process_id="1564", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="2", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:43", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:43", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\cacls.exe /grant test ZELMA_HENDERSON", process="cacls  /grant test ZELMA_HENDERSON", process_id="0x61c", process_id="1564", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by Administrator to change security permission of a specific file or directory on host ar-win-dc.attackrange.local", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="Administrator"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:50:27", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:27", parent_process_name="cmd.exe", process="cacls  /grant test ZELMA_HENDERSON", process_id="160", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by unknown to change security permission of a specific file or directory on host ar-win-dc", risk_object="unknown", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="unknown"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:50:27", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:27", parent_process_name="cmd.exe", process="cacls  /grant test ZELMA_HENDERSON", process_id="160", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by unknown to change security permission of a specific file or directory on host ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="unknown"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:50:27", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:27", parent_process_name="cmd.exe", process="cacls  /grant test ZELMA_HENDERSON", process_id="1564", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ATTACKRANGE\\Administrator", risk_object_type="user", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686740953, search_name="ESCU - ICACLS Grant Command - Rule", analyticstories="Ransomware", analyticstories="XMRig", annotations="{\"analytic_story\":[\"XMRig\",\"Ransomware\"],\"cis20\":[\"CIS 10\"],\"confidence\":70,\"impact\":70,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1222\"],\"nist\":[\"DE.CM\"]}", annotations._all="Ransomware", annotations._all="T1222", annotations._all="CIS 10", annotations._all="XMRig", annotations._all="Exploitation", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="XMRig", annotations.analytic_story="Ransomware", annotations.cis20="CIS 10", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1222", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:50:27", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740948.560498000", lastTime="2023-06-14T10:50:27", parent_process_name="cmd.exe", process="cacls  /grant test ZELMA_HENDERSON", process_id="1564", process_name="cacls.exe", risk_message="Process name cacls.exe with grant argument executed by ATTACKRANGE\\Administrator to change security permission of a specific file or directory on host ar-win-dc", risk_object="ar-win-dc", risk_object_type="system", risk_score="49.0", savedsearch_description="This analytic identifies potential adversaries that modify the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft and coinminer scripts to evade detections and restrict access to their component files.", user="ATTACKRANGE\\Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="net1.exe", parent_process="net  user", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="5484", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="net1.exe", parent_process="net  user", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="5484", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="net1.exe", parent_process="net  user", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="5484", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="net1.exe", parent_process="net  user", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="5484", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="0x156c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net1.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="0x156c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="0x156c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="Administrator", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740643, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="Installation", annotations._all="T1059.007", annotations._all="DE.CM", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059", annotations._all="FIN7", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc.attackrange.local", firstTime="2023-06-14T10:50:23", info_max_time="1686740400.000000000", info_min_time="1686739800.000000000", info_search_time="1686740637.810390000", lastTime="2023-06-14T10:50:23", original_file_name="unknown", parent_process="C:\\Windows\\System32\\net.exe", parent_process_name="net.exe", process="C:\\Windows\\system32\\net1  user", process_id="0x156c", process_name="net1.exe", risk_message="A non-standard parent process net.exe spawned child process net1.exe to execute command-line tool on ar-win-dc.attackrange.local.", risk_object="ar-win-dc.attackrange.local", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="Administrator"
1686740043, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1059", annotations._all="FIN7", annotations._all="Installation", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059.007", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:49:28", info_max_time="1686739800.000000000", info_min_time="1686739200.000000000", info_search_time="1686740038.683833000", lastTime="2023-06-14T10:49:28", original_file_name="net.exe", parent_process="unknown", parent_process_name="unknown", process="net  user", process_id="5440", process_name="net.exe", risk_message="A non-standard parent process unknown spawned child process net.exe to execute command-line tool on ar-win-dc.", risk_object="net.exe", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="S-1-5-21-647039874-1738661239-2692048096-500"
1686740043, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1059", annotations._all="FIN7", annotations._all="Installation", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059.007", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:49:28", info_max_time="1686739800.000000000", info_min_time="1686739200.000000000", info_search_time="1686740038.683833000", lastTime="2023-06-14T10:49:28", original_file_name="net.exe", parent_process="unknown", parent_process_name="unknown", process="net  user", process_id="5440", process_name="net.exe", risk_message="A non-standard parent process unknown spawned child process net.exe to execute command-line tool on ar-win-dc.", risk_object="unknown", risk_object_type="other", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="S-1-5-21-647039874-1738661239-2692048096-500"
1686740043, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1059", annotations._all="FIN7", annotations._all="Installation", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059.007", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:49:28", info_max_time="1686739800.000000000", info_min_time="1686739200.000000000", info_search_time="1686740038.683833000", lastTime="2023-06-14T10:49:28", original_file_name="net.exe", parent_process="unknown", parent_process_name="unknown", process="net  user", process_id="5440", process_name="net.exe", risk_message="A non-standard parent process unknown spawned child process net.exe to execute command-line tool on ar-win-dc.", risk_object="S-1-5-21-647039874-1738661239-2692048096-500", risk_object_type="user", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="S-1-5-21-647039874-1738661239-2692048096-500"
1686740043, search_name="ESCU - Cmdline Tool Not Executed In CMD Shell - Rule", analyticstories="CISA AA22-277A", analyticstories="FIN7", analyticstories="Qakbot", annotations="{\"analytic_story\":[\"FIN7\",\"Qakbot\",\"CISA AA22-277A\",\"Qakbot\"],\"cis20\":[\"CIS 10\"],\"confidence\":80,\"impact\":70,\"kill_chain_phases\":[\"Installation\"],\"mitre_attack\":[\"T1059\",\"T1059.007\"],\"nist\":[\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="T1059", annotations._all="FIN7", annotations._all="Installation", annotations._all="CISA AA22-277A", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1059.007", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="FIN7", annotations.analytic_story="Qakbot", annotations.analytic_story="CISA AA22-277A", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.kill_chain_phases="Installation", annotations.mitre_attack="T1059", annotations.mitre_attack="T1059.007", annotations.nist="DE.CM", count="1", dest="ar-win-dc", firstTime="2023-06-14T10:49:28", info_max_time="1686739800.000000000", info_min_time="1686739200.000000000", info_search_time="1686740038.683833000", lastTime="2023-06-14T10:49:28", original_file_name="net.exe", parent_process="unknown", parent_process_name="unknown", process="net  user", process_id="5440", process_name="net.exe", risk_message="A non-standard parent process unknown spawned child process net.exe to execute command-line tool on ar-win-dc.", risk_object="ar-win-dc", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", user="S-1-5-21-647039874-1738661239-2692048096-500"