1681925934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T15:53:43", info_max_time="1681923000.000000000", info_min_time="1681919400.000000000", info_search_time="1681925929.305066000", lastTime="2023-04-19T16:48:50", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681922335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T14:53:35", info_max_time="1681919400.000000000", info_min_time="1681915800.000000000", info_search_time="1681922329.584218000", lastTime="2023-04-19T15:48:43", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681918735, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T13:53:27", info_max_time="1681915800.000000000", info_min_time="1681912200.000000000", info_search_time="1681918729.914196000", lastTime="2023-04-19T14:48:35", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681915133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T12:53:18", info_max_time="1681912200.000000000", info_min_time="1681908600.000000000", info_search_time="1681915129.187236000", lastTime="2023-04-19T13:48:26", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681911533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T11:53:09", info_max_time="1681908600.000000000", info_min_time="1681905000.000000000", info_search_time="1681911528.789812000", lastTime="2023-04-19T12:48:18", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681907933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T10:53:02", info_max_time="1681905000.000000000", info_min_time="1681901400.000000000", info_search_time="1681907929.435977000", lastTime="2023-04-19T11:48:09", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681904332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T09:52:53", info_max_time="1681901400.000000000", info_min_time="1681897800.000000000", info_search_time="1681904328.968437000", lastTime="2023-04-19T10:48:01", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681900732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T08:52:44", info_max_time="1681897800.000000000", info_min_time="1681894200.000000000", info_search_time="1681900729.332847000", lastTime="2023-04-19T09:47:51", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681897132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T07:52:36", info_max_time="1681894200.000000000", info_min_time="1681890600.000000000", info_search_time="1681897129.321025000", lastTime="2023-04-19T08:47:44", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681893532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T06:52:27", info_max_time="1681890600.000000000", info_min_time="1681887000.000000000", info_search_time="1681893529.197927000", lastTime="2023-04-19T07:47:36", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681889932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T05:52:20", info_max_time="1681887000.000000000", info_min_time="1681883400.000000000", info_search_time="1681889929.213709000", lastTime="2023-04-19T06:47:26", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681886332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T04:52:11", info_max_time="1681883400.000000000", info_min_time="1681879800.000000000", info_search_time="1681886328.806860000", lastTime="2023-04-19T05:47:19", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681882732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T03:52:04", info_max_time="1681879800.000000000", info_min_time="1681876200.000000000", info_search_time="1681882729.464222000", lastTime="2023-04-19T04:47:10", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681879132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T02:51:55", info_max_time="1681876200.000000000", info_min_time="1681872600.000000000", info_search_time="1681879128.911764000", lastTime="2023-04-19T03:47:03", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681875533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T01:51:46", info_max_time="1681872600.000000000", info_min_time="1681869000.000000000", info_search_time="1681875529.036499000", lastTime="2023-04-19T02:46:54", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681871932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-19T00:51:39", info_max_time="1681869000.000000000", info_min_time="1681865400.000000000", info_search_time="1681871928.786099000", lastTime="2023-04-19T01:46:46", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681868333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T23:51:31", info_max_time="1681865400.000000000", info_min_time="1681861800.000000000", info_search_time="1681868329.486368000", lastTime="2023-04-19T00:46:39", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681864732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T22:51:23", info_max_time="1681861800.000000000", info_min_time="1681858200.000000000", info_search_time="1681864728.838473000", lastTime="2023-04-18T23:46:31", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681861132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T21:51:14", info_max_time="1681858200.000000000", info_min_time="1681854600.000000000", info_search_time="1681861129.223327000", lastTime="2023-04-18T22:46:22", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681857531, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T20:51:05", info_max_time="1681854600.000000000", info_min_time="1681851000.000000000", info_search_time="1681857528.590227000", lastTime="2023-04-18T21:46:14", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681853932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T19:50:56", info_max_time="1681851000.000000000", info_min_time="1681847400.000000000", info_search_time="1681853928.885024000", lastTime="2023-04-18T20:46:04", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681850332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T18:50:47", info_max_time="1681847400.000000000", info_min_time="1681843800.000000000", info_search_time="1681850329.180808000", lastTime="2023-04-18T19:45:55", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681846732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T17:50:40", info_max_time="1681843800.000000000", info_min_time="1681840200.000000000", info_search_time="1681846728.855879000", lastTime="2023-04-18T18:45:47", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681846732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T18:18:52", info_max_time="1681843800.000000000", info_min_time="1681840200.000000000", info_search_time="1681846728.855879000", lastTime="2023-04-18T18:18:52", parent_process_id="3636", parent_process_name="wmiprvse.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681846732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="15", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T18:18:51", info_max_time="1681843800.000000000", info_min_time="1681840200.000000000", info_search_time="1681846728.855879000", lastTime="2023-04-18T18:18:52", parent_process_id="3636", parent_process_name="wmiprvse.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681846732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T18:15:23", info_max_time="1681843800.000000000", info_min_time="1681840200.000000000", info_search_time="1681846728.855879000", lastTime="2023-04-18T18:45:29", parent_process_id="1368", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681846732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T18:15:22", info_max_time="1681843800.000000000", info_min_time="1681840200.000000000", info_search_time="1681846728.855879000", lastTime="2023-04-18T18:45:29", parent_process_id="1368", parent_process_name="svchost.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:55", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:08:34", parent_process="unknown", parent_process_name="wmiprvse.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:03:36", parent_process="unknown", parent_process_name="wininit.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:03:40", parent_process="unknown", parent_process_name="unknown", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:45:20", parent_process="unknown", parent_process_name="svchost.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:27:06", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:27:06", parent_process="unknown", parent_process_name="setup.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:39:26", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:03:36", parent_process="unknown", parent_process_name="csrss.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:04:37", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:39:26", parent_process="unknown", parent_process_name="MsMpEng.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:56", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:03:56", parent_process="unknown", parent_process_name="MicrosoftEdgeUpdate.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:02", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:12:02", parent_process="unknown", parent_process_name="CompatTelRunner.exe", process="unknown", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681837200, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681837200", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:03:36", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843885.292816000", lastTime="2023-04-18T17:03:36", parent_process="wininit.exe", parent_process_name="wininit.exe", process="C:\\Windows\\system32\\services.exe", process_guid="{a759a8bc-cd51-643e-0b00-000000000c00}", process_name="services.exe", process_path="C:\\Windows\\System32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AarSvc_1b89ec\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k AarSvcGroup -p", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:14:58", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:14:58", parent_process="unknown", parent_process_id="924", process="unknown", process_id="644", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:08:11", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:08:11", parent_process="unknown", parent_process_id="924", process="unknown", process_id="7548", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:08:11", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:08:11", parent_process="unknown", parent_process_id="800", process="unknown", process_id="7548", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="200", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:08:11", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:08:16", parent_process="unknown", parent_process_id="1492", process="unknown", process_id="7548", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:08:10", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:08:11", parent_process="unknown", parent_process_id="1380", process="unknown", process_id="7548", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:07:28", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:07:28", parent_process="unknown", parent_process_id="924", process="unknown", process_id="6164", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:07:28", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:07:28", parent_process="unknown", parent_process_id="800", process="unknown", process_id="6164", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:07:28", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:07:28", parent_process="unknown", parent_process_id="4660", process="unknown", process_id="6164", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="204", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:07:28", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:07:30", parent_process="unknown", parent_process_id="1492", process="unknown", process_id="6164", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:07:28", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:07:28", parent_process="unknown", parent_process_id="1380", process="unknown", process_id="6164", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:14:58", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:14:58", parent_process="unknown", parent_process_id="800", process="unknown", process_id="644", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:14:58", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:14:59", parent_process="unknown", parent_process_id="1432", process="unknown", process_id="644", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681843384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:14:58", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843378.689298000", lastTime="2023-04-18T17:14:58", parent_process="C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuauserv", parent_process_id="1432", process="\"C:\\Windows\\system32\\wuauclt.exe\" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 8a035270-25f4-4618-8a92-c4e79cff234d /RunHandlerComServer", process_id="644", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:50:23", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T16:50:24", parent_process_id="748", parent_process_name="svchost.exe", process="unknown", process_id="2248", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:50:33", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:45:41", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:23:33", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:23:33", parent_process_id="924", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:23:33", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:23:39", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:23:33", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:23:33", parent_process_id="4660", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:23:33", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:23:33", parent_process_id="1380", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:24:32", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:45:20", parent_process_id="1368", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:22:37", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:22:37", parent_process_id="924", parent_process_name="svchost.exe", process="unknown", process_id="7136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:22:37", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:22:37", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="7136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:22:37", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:22:37", parent_process_id="1380", parent_process_name="svchost.exe", process="unknown", process_id="7136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:44", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:44", parent_process_id="924", parent_process_name="svchost.exe", process="unknown", process_id="6156", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:05:17", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:05:17", parent_process_id="924", parent_process_name="svchost.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:35", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:35", parent_process_id="924", parent_process_name="svchost.exe", process="unknown", process_id="5128", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:43", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:49", parent_process_id="4064", parent_process_name="wmiprvse.exe", process="unknown", process_id="6156", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="424", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:05:15", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:19:35", parent_process_id="4064", parent_process_name="wmiprvse.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="10", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:34", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:49", parent_process_id="4064", parent_process_name="wmiprvse.exe", process="unknown", process_id="5128", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:44", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:44", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="6156", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:05:17", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:05:17", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:06:09", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:45:20", parent_process_id="1368", parent_process_name="svchost.exe", process="unknown", process_id="5432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:12:35", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:12:35", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="5128", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681843133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T17:23:45", info_max_time="1681840200.000000000", info_min_time="1681836600.000000000", info_search_time="1681843129.208436000", lastTime="2023-04-18T17:23:45", parent_process_id="6576", parent_process_name="svchost.exe", process="unknown", process_id="7708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"
1681840295, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1021", annotations._all="Ryuk Ransomware", annotations._all="SamSam Ransomware", annotations._all="CIS 13", annotations._all="Hidden Cobra Malware", annotations._all="DE.AE", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.001", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="2", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-18T16:30:23", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840289.996918000", lastTime="2023-04-18T16:43:28", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:37:43", parent_process="unknown", parent_process_name="svchost.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="unknown"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:06:36", parent_process="unknown", parent_process_name="wininit.exe", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:37", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:07:26", parent_process="unknown", parent_process_name="unknown", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:30:26", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:06:36", parent_process="unknown", parent_process_name="csrss.exe", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:30:29", parent_process="unknown", parent_process_name="aurora-agent.exe", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:27", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:30:27", parent_process="unknown", parent_process_name="aurora-agent-util.exe", process="unknown", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:06:36", parent_process="wininit.exe", parent_process_name="wininit.exe", process="C:\\Windows\\system32\\services.exe", process_guid="{EF490992-C009-643E-0A00-00000000CC02}", process_name="services.exe", process_path="C:\\Windows\\System32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_193cf8\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:38:53", parent_process="unknown", parent_process_name="svchost.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:39:27", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:39:27", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:37:43", parent_process="unknown", parent_process_name="csrss.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:39:22", parent_process="unknown", parent_process_name="MsMpEng.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:56", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:39:37", parent_process="unknown", parent_process_name="MicrosoftEdgeUpdate.exe", process="unknown", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681833600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681833600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Suspicious Windows Registry Activities", annotations._all="DE.CM", annotations._all="Brute Ratel C4", annotations._all="Windows Registry Abuse", annotations._all="T1574.011", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681840285.575309000", lastTime="2023-04-18T16:37:43", parent_process="C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p", parent_process_name="svchost.exe", process="C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe -Embedding", process_guid="{a759a8bc-c756-643e-781f-000000000a00}", process_name="TiWorker.exe", process_path="C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2780_none_7df1b05c7ca1f251\\TiWorker.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\AmdK8", registry_path="HKLM\\System\\CurrentControlSet\\Services\\AmdK8\\ImagePath", registry_value_data="\\SystemRoot\\System32\\drivers\\amdk8.sys", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:30:42", parent_process="unknown", parent_process_id="684", process="unknown", process_id="4876", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:30:42", parent_process="unknown", parent_process_id="1152", process="unknown", process_id="4876", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:43", parent_process="unknown", parent_process_id="684", process="unknown", process_id="4064", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:42", parent_process="unknown", parent_process_id="684", process="unknown", process_id="3692", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:38", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:38", parent_process="unknown", parent_process_id="684", process="unknown", process_id="2832", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:07:14", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:07:14", parent_process="unknown", parent_process_id="696", process="unknown", process_id="5804", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:49", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:49", parent_process="unknown", parent_process_id="696", process="unknown", process_id="4376", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:43", parent_process="unknown", parent_process_id="696", process="unknown", process_id="3996", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:08", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:07:08", parent_process="unknown", parent_process_id="784", process="unknown", process_id="3668", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:03", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:07:03", parent_process="unknown", parent_process_id="784", process="unknown", process_id="3484", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:07", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:07:07", parent_process="unknown", parent_process_id="784", process="unknown", process_id="2880", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:48", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:48", parent_process="unknown", parent_process_id="696", process="unknown", process_id="3924", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:49", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:49", parent_process="unknown", parent_process_id="696", process="unknown", process_id="3408", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:06:42", parent_process="unknown", parent_process_id="696", process="unknown", process_id="2752", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="928", process="unknown", process_id="9020", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="928", process="unknown", process_id="8300", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="928", process="unknown", process_id="5616", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="800", process="unknown", process_id="9020", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="800", process="unknown", process_id="8300", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839782, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:38:22", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839778.075249000", lastTime="2023-04-18T16:38:22", parent_process="unknown", parent_process_id="800", process="unknown", process_id="5616", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:47", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:47", parent_process_id="932", parent_process_name="svchost.exe", process="unknown", process_id="4944", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:43", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="4944", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:43", parent_process_id="1152", parent_process_name="svchost.exe", process="unknown", process_id="4944", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:27", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:27", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="4008", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:25", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:29", parent_process_id="1152", parent_process_name="svchost.exe", process="unknown", process_id="4008", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:14:36", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:17:43", parent_process_id="748", parent_process_name="svchost.exe", process="unknown", process_id="3696", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:44:21", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:44:22", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="2248", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:44:21", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:44:21", parent_process_id="1152", parent_process_name="svchost.exe", process="unknown", process_id="2248", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:42", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3880", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:42", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3728", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:51", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:43:31", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3696", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:41", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:41", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3548", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:43", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:40", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:40", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="3168", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:06:43", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:43", parent_process_id="684", parent_process_name="svchost.exe", process="unknown", process_id="1236", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:25", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:25", parent_process_id="0x480", parent_process_name="svchost.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="0xfa8", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Administrator"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-18T16:30:25", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:25", parent_process_id="1152", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="4008", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Administrator"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server", firstTime="2023-04-18T16:30:32", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:32", parent_process_id="null", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="1152", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server", risk_object="mswin-server", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server", firstTime="2023-04-18T16:30:29", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:30:29", parent_process_id="null", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="4008", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server", risk_object="mswin-server", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="MSWIN-SERVER\\Administrator"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:50", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:50", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="4552", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="9", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:10:12", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:45:32", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:47", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:47", parent_process_id="4088", parent_process_name="wmiprvse.exe", process="unknown", process_id="2964", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:14:38", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:16:38", parent_process_id="760", parent_process_name="svchost.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:07:17", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:17", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="5884", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:50", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:50", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="4552", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:07:16", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:16", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3956", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:07:29", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:29", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3952", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:45", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:45", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3540", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:07:03", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:03", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3256", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T16:06:47", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:47", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="2964", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:14:44", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:17:50", parent_process_id="840", parent_process_name="svchost.exe", process="unknown", process_id="3272", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:06", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:06", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="4032", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:09", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:09", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3888", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:08", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:08", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3760", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:05", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:05", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3724", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:07", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:07", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3536", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:19", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:19", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3272", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T16:07:07", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:07:07", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3268", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:48", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:48", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3984", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:47", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:47", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3696", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:49", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:49", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3464", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:49", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:49", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3248", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:45", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:45", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3164", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-ADFS.attackrange.local", firstTime="2023-04-18T16:06:50", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:06:50", parent_process_id="696", parent_process_name="svchost.exe", process="unknown", process_id="3124", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-ADFS.attackrange.local", risk_object="mswin-ADFS.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681839532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="37", dest="DESKTOP-92OQLA1", firstTime="2023-04-18T16:37:42", info_max_time="1681836600.000000000", info_min_time="1681833000.000000000", info_search_time="1681839528.806208000", lastTime="2023-04-18T16:39:54", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681834681, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-18T13:27:35", info_max_time="1681825800.000000000", info_min_time="1681822200.000000000", info_search_time="1681834676.100763000", lastTime="2023-04-18T13:27:35", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681834681, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="8", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T12:50:32", info_max_time="1681825800.000000000", info_min_time="1681822200.000000000", info_search_time="1681834676.100763000", lastTime="2023-04-18T13:25:40", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681834681, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="8", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T12:50:32", info_max_time="1681825800.000000000", info_min_time="1681822200.000000000", info_search_time="1681834676.100763000", lastTime="2023-04-18T13:25:40", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681834681, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T13:27:35", info_max_time="1681825800.000000000", info_min_time="1681822200.000000000", info_search_time="1681834676.100763000", lastTime="2023-04-18T13:27:35", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681834681, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-18T13:27:34", info_max_time="1681825800.000000000", info_min_time="1681822200.000000000", info_search_time="1681834676.100763000", lastTime="2023-04-18T13:27:34", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681834672, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T11:50:22", info_max_time="1681822200.000000000", info_min_time="1681818600.000000000", info_search_time="1681834668.635435000", lastTime="2023-04-18T12:45:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681834672, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T11:50:22", info_max_time="1681822200.000000000", info_min_time="1681818600.000000000", info_search_time="1681834668.635435000", lastTime="2023-04-18T12:45:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681821534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T10:50:15", info_max_time="1681818600.000000000", info_min_time="1681815000.000000000", info_search_time="1681821528.834504000", lastTime="2023-04-18T11:45:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681821534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T10:50:15", info_max_time="1681818600.000000000", info_min_time="1681815000.000000000", info_search_time="1681821528.834504000", lastTime="2023-04-18T11:45:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681817935, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T09:50:06", info_max_time="1681815000.000000000", info_min_time="1681811400.000000000", info_search_time="1681817929.871667000", lastTime="2023-04-18T10:45:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681817935, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T09:50:06", info_max_time="1681815000.000000000", info_min_time="1681811400.000000000", info_search_time="1681817929.871667000", lastTime="2023-04-18T10:45:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681814334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T08:50:00", info_max_time="1681811400.000000000", info_min_time="1681807800.000000000", info_search_time="1681814328.874989000", lastTime="2023-04-18T09:45:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681814334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T08:50:00", info_max_time="1681811400.000000000", info_min_time="1681807800.000000000", info_search_time="1681814328.874989000", lastTime="2023-04-18T09:45:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681810734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T07:54:53", info_max_time="1681807800.000000000", info_min_time="1681804200.000000000", info_search_time="1681810729.463888000", lastTime="2023-04-18T08:44:58", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681810734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T07:54:53", info_max_time="1681807800.000000000", info_min_time="1681804200.000000000", info_search_time="1681810729.463888000", lastTime="2023-04-18T08:44:58", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681807134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T06:54:45", info_max_time="1681804200.000000000", info_min_time="1681800600.000000000", info_search_time="1681807128.907631000", lastTime="2023-04-18T07:49:52", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681807134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T06:54:45", info_max_time="1681804200.000000000", info_min_time="1681800600.000000000", info_search_time="1681807128.907631000", lastTime="2023-04-18T07:49:52", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681803534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T05:54:37", info_max_time="1681800600.000000000", info_min_time="1681797000.000000000", info_search_time="1681803528.961526000", lastTime="2023-04-18T06:49:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681803534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T05:54:37", info_max_time="1681800600.000000000", info_min_time="1681797000.000000000", info_search_time="1681803528.961526000", lastTime="2023-04-18T06:49:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681799934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T04:54:30", info_max_time="1681797000.000000000", info_min_time="1681793400.000000000", info_search_time="1681799929.009612000", lastTime="2023-04-18T05:49:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681799934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T04:54:30", info_max_time="1681797000.000000000", info_min_time="1681793400.000000000", info_search_time="1681799929.009612000", lastTime="2023-04-18T05:49:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681796332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T03:54:21", info_max_time="1681793400.000000000", info_min_time="1681789800.000000000", info_search_time="1681796328.325362000", lastTime="2023-04-18T04:49:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681796332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T03:54:21", info_max_time="1681793400.000000000", info_min_time="1681789800.000000000", info_search_time="1681796328.325362000", lastTime="2023-04-18T04:49:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681792733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T02:54:13", info_max_time="1681789800.000000000", info_min_time="1681786200.000000000", info_search_time="1681792728.721324000", lastTime="2023-04-18T03:49:20", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681792733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T02:54:13", info_max_time="1681789800.000000000", info_min_time="1681786200.000000000", info_search_time="1681792728.721324000", lastTime="2023-04-18T03:49:20", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681789132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T01:54:06", info_max_time="1681786200.000000000", info_min_time="1681782600.000000000", info_search_time="1681789128.642746000", lastTime="2023-04-18T02:49:12", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681789132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T01:54:06", info_max_time="1681786200.000000000", info_min_time="1681782600.000000000", info_search_time="1681789128.642746000", lastTime="2023-04-18T02:49:12", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681785534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T00:53:58", info_max_time="1681782600.000000000", info_min_time="1681779000.000000000", info_search_time="1681785529.187376000", lastTime="2023-04-18T01:49:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681785534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-18T00:53:58", info_max_time="1681782600.000000000", info_min_time="1681779000.000000000", info_search_time="1681785529.187376000", lastTime="2023-04-18T01:49:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681781933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T23:53:51", info_max_time="1681779000.000000000", info_min_time="1681775400.000000000", info_search_time="1681781928.496292000", lastTime="2023-04-18T00:48:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681781933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T23:53:51", info_max_time="1681779000.000000000", info_min_time="1681775400.000000000", info_search_time="1681781928.496292000", lastTime="2023-04-18T00:48:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681778332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T22:53:44", info_max_time="1681775400.000000000", info_min_time="1681771800.000000000", info_search_time="1681778328.607665000", lastTime="2023-04-17T23:48:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681778332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T22:53:43", info_max_time="1681775400.000000000", info_min_time="1681771800.000000000", info_search_time="1681778328.607665000", lastTime="2023-04-17T23:48:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681774984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T21:57:41", info_max_time="1681771800.000000000", info_min_time="1681768200.000000000", info_search_time="1681774978.767073000", lastTime="2023-04-17T21:57:41", parent_process="unknown", parent_process_id="1144", process="unknown", process_id="4328", process_name="regsvr32.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681774984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T21:57:41", info_max_time="1681771800.000000000", info_min_time="1681768200.000000000", info_search_time="1681774978.767073000", lastTime="2023-04-17T21:57:41", parent_process="unknown", parent_process_id="1144", process="unknown", process_id="1224", process_name="regsvr32.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681774733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T21:53:34", info_max_time="1681771800.000000000", info_min_time="1681768200.000000000", info_search_time="1681774728.896974000", lastTime="2023-04-17T22:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681774733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T21:53:34", info_max_time="1681771800.000000000", info_min_time="1681768200.000000000", info_search_time="1681774728.896974000", lastTime="2023-04-17T22:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681771132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:51:46", info_max_time="1681768200.000000000", info_min_time="1681764600.000000000", info_search_time="1681771128.547103000", lastTime="2023-04-17T20:51:46", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="3300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681771132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T20:53:24", info_max_time="1681768200.000000000", info_min_time="1681764600.000000000", info_search_time="1681771128.547103000", lastTime="2023-04-17T21:48:35", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681771132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T20:53:24", info_max_time="1681768200.000000000", info_min_time="1681764600.000000000", info_search_time="1681771128.547103000", lastTime="2023-04-17T21:48:35", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681768298, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 13", annotations._all="DE.AE", annotations._all="SamSam Ransomware", annotations._all="T1021.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Hidden Cobra Malware", annotations._all="Ryuk Ransomware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="2", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-17T20:31:26", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681768291.550935000", lastTime="2023-04-17T20:43:55", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681761600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681761600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Brute Ratel C4", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="Windows Registry Abuse", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:29", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681768285.939571000", lastTime="2023-04-17T20:31:30", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{EF490992-7ECE-643D-0A00-00000000CB02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681761600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681761600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Brute Ratel C4", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="Windows Registry Abuse", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:28", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681768285.939571000", lastTime="2023-04-17T20:49:57", parent_process="unknown", parent_process_name="aurora-agent.exe", process="unknown", process_guid="{EF490992-7ECE-643D-0A00-00000000CB02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681761600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681761600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Brute Ratel C4", annotations._all="DE.CM", annotations._all="Windows Persistence Techniques", annotations._all="Windows Registry Abuse", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:31", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681768285.939571000", lastTime="2023-04-17T20:31:31", parent_process="unknown", parent_process_name="aurora-agent-util.exe", process="unknown", process_guid="{EF490992-7ECE-643D-0A00-00000000CB02}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_755ff2\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681767784, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:46", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767778.290333000", lastTime="2023-04-17T20:31:46", parent_process="unknown", parent_process_id="692", process="unknown", process_id="4808", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681767784, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="T1053", annotations._all="Living Off The Land", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:45", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767778.290333000", lastTime="2023-04-17T20:31:45", parent_process="unknown", parent_process_id="1144", process="unknown", process_id="4808", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:51", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:51", parent_process_id="904", parent_process_name="svchost.exe", process="unknown", process_id="4876", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:46", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:46", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="4876", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:47", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:47", parent_process_id="1144", parent_process_name="svchost.exe", process="unknown", process_id="4876", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:40:24", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:41:12", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="4800", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="10", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:48:40", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:48:44", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="3300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:31", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:31", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="2780", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:30", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:32", parent_process_id="1144", parent_process_name="svchost.exe", process="unknown", process_id="2780", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:39:21", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:39:21", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="2620", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:33:20", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:43:57", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="2620", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:33:20", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:33:20", parent_process_id="1144", parent_process_name="svchost.exe", process="unknown", process_id="2620", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:33:43", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:33:43", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="4800", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:42:40", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:43:57", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:30", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:30", parent_process_id="0x478", parent_process_name="svchost.exe", process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="0xadc", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Administrator"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T20:31:30", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:30", parent_process_id="1144", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="2780", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Administrator"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server", firstTime="2023-04-17T20:31:34", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:34", parent_process_id="null", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="1144", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server", risk_object="mswin-server", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server", firstTime="2023-04-17T20:31:30", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:31:30", parent_process_id="null", parent_process_name="svchost.exe", process="\"powershell.exe\" -NoProfile -ExecutionPolicy Bypass -Command & {
    $(IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\sYLWDNvK\").Administrator0))))
}", process_id="2780", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server", risk_object="mswin-server", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="MSWIN-SERVER\\Administrator"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T19:53:15", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:48:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681767533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T19:53:15", info_max_time="1681764600.000000000", info_min_time="1681761000.000000000", info_search_time="1681767529.020614000", lastTime="2023-04-17T20:48:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681763933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T18:53:07", info_max_time="1681761000.000000000", info_min_time="1681757400.000000000", info_search_time="1681763928.967591000", lastTime="2023-04-17T19:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681763933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T18:53:07", info_max_time="1681761000.000000000", info_min_time="1681757400.000000000", info_search_time="1681763928.967591000", lastTime="2023-04-17T19:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681760333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T17:52:59", info_max_time="1681757400.000000000", info_min_time="1681753800.000000000", info_search_time="1681760329.158797000", lastTime="2023-04-17T18:48:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681760333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T17:52:59", info_max_time="1681757400.000000000", info_min_time="1681753800.000000000", info_search_time="1681760329.158797000", lastTime="2023-04-17T18:48:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681757497, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.001", annotations._all="Ryuk Ransomware", annotations._all="DE.AE", annotations._all="CIS 13", annotations._all="T1021", annotations._all="SamSam Ransomware", annotations._all="Hidden Cobra Malware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.14", dest_port="3389", firstTime="2023-04-17T17:12:38", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681757490.905554000", lastTime="2023-04-17T17:12:38", risk_message="tbd", risk_object="10.0.1.14", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681756984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:08", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756978.389372000", lastTime="2023-04-17T17:16:08", parent_process="unknown", parent_process_id="692", process="unknown", process_id="4092", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681756984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:07", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756978.389372000", lastTime="2023-04-17T17:16:07", parent_process="unknown", parent_process_id="692", process="unknown", process_id="3764", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681756984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:03", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756978.389372000", lastTime="2023-04-17T17:16:03", parent_process="unknown", parent_process_id="692", process="unknown", process_id="2968", process_name="wmic.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681756984, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-17T17:12:39", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756978.389372000", lastTime="2023-04-17T17:12:39", parent_process="unknown", parent_process_id="784", process="unknown", process_id="3972", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:24:00", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:27:26", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="3312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:07", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:07", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3948", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:07", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:07", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3800", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:06", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:06", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3604", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:15:42", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:15:42", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:15", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:15", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:04", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:04", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3280", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:08", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:08", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="3240", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-17T17:16:08", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:16:08", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="1996", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T16:52:52", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:47:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T16:52:52", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:47:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-17T17:12:39", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:12:39", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="5592", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681756733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-17T17:12:39", info_max_time="1681753800.000000000", info_min_time="1681750200.000000000", info_search_time="1681756729.366922000", lastTime="2023-04-17T17:12:39", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681753896, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="CIS 13", annotations._all="T1021.001", annotations._all="DE.AE", annotations._all="SamSam Ransomware", annotations._all="Ryuk Ransomware", annotations._all="Hidden Cobra Malware", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-17T16:37:17", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753890.266235000", lastTime="2023-04-17T16:37:17", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681753384, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:38:23", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753378.816725000", lastTime="2023-04-17T16:38:23", parent_process="unknown", parent_process_id="680", process="unknown", process_id="6708", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:48:52", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:48:54", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="8552", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:49", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:51", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="8552", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:48", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:49", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="8552", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:48:46", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:48:54", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="6580", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:42", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:45", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6580", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:41", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:41", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="6580", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:48:52", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:49:04", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="6300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:49", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:51", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:48", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:49", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="6300", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:38:23", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:38:23", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:48:35", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:48:43", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="6060", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:29", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:33", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6060", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:42:29", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:42:29", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="6060", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:38:23", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:38:23", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5568", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-17T16:38:23", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:38:23", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T15:52:44", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:47:52", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681753133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T15:52:44", info_max_time="1681750200.000000000", info_min_time="1681746600.000000000", info_search_time="1681753129.191076000", lastTime="2023-04-17T16:47:52", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681749533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T14:52:34", info_max_time="1681746600.000000000", info_min_time="1681743000.000000000", info_search_time="1681749529.033587000", lastTime="2023-04-17T15:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681749533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T14:52:34", info_max_time="1681746600.000000000", info_min_time="1681743000.000000000", info_search_time="1681749529.033587000", lastTime="2023-04-17T15:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681749533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T15:01:11", info_max_time="1681746600.000000000", info_min_time="1681743000.000000000", info_search_time="1681749529.033587000", lastTime="2023-04-17T15:01:11", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681745932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T13:52:26", info_max_time="1681743000.000000000", info_min_time="1681739400.000000000", info_search_time="1681745928.635359000", lastTime="2023-04-17T14:47:34", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681745932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T13:52:26", info_max_time="1681743000.000000000", info_min_time="1681739400.000000000", info_search_time="1681745928.635359000", lastTime="2023-04-17T14:47:34", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681742333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T12:52:16", info_max_time="1681739400.000000000", info_min_time="1681735800.000000000", info_search_time="1681742329.025435000", lastTime="2023-04-17T13:47:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681742333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T12:52:16", info_max_time="1681739400.000000000", info_min_time="1681735800.000000000", info_search_time="1681742329.025435000", lastTime="2023-04-17T13:47:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681732800, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681732800", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Registry Abuse", annotations._all="Suspicious Windows Registry Activities", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:37:53", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681739485.663023000", lastTime="2023-04-17T12:44:04", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{a759a8bc-c9aa-6436-0b00-000000000a00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService", registry_path="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService\\ImagePath", registry_value_data="\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\112.0.1722.48\\elevation_service.exe\"", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681732800, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681732800", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Registry Abuse", annotations._all="Suspicious Windows Registry Activities", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:37:53", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681739485.663023000", lastTime="2023-04-17T12:44:12", parent_process="unknown", parent_process_name="MsMpEng.exe", process="unknown", process_guid="{a759a8bc-c9aa-6436-0b00-000000000a00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService", registry_path="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService\\ImagePath", registry_value_data="\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\112.0.1722.48\\elevation_service.exe\"", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681732800, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681732800", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Registry Abuse", annotations._all="Suspicious Windows Registry Activities", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:44:54", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681739485.663023000", lastTime="2023-04-17T12:44:54", parent_process="unknown", parent_process_name="MicrosoftEdgeUpdate.exe", process="unknown", process_guid="{a759a8bc-c9aa-6436-0b00-000000000a00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService", registry_path="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService\\ImagePath", registry_value_data="\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\112.0.1722.48\\elevation_service.exe\"", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681732800, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681732800", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="Brute Ratel C4", annotations._all="Active Directory Lateral Movement", annotations._all="T1574.011", annotations._all="DE.CM", annotations._all="Windows Registry Abuse", annotations._all="Suspicious Windows Registry Activities", annotations._all="CIS 10", annotations._all="Windows Persistence Techniques", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:01", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681739485.663023000", lastTime="2023-04-17T12:43:01", parent_process="unknown", parent_process_name="CompatTelRunner.exe", process="unknown", process_guid="{a759a8bc-c9aa-6436-0b00-000000000a00}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService", registry_path="HKLM\\System\\CurrentControlSet\\Services\\MicrosoftEdgeElevationService\\ImagePath", registry_value_data="\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\112.0.1722.48\\elevation_service.exe\"", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:40:34", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:40:34", parent_process="unknown", parent_process_id="928", process="unknown", process_id="7940", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="8280", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="5940", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="5488", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="928", process="unknown", process_id="3824", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="928", process="unknown", process_id="3716", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="928", process="unknown", process_id="3624", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="2328", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="2140", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:43", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:43", parent_process="unknown", parent_process_id="928", process="unknown", process_id="2036", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="928", process="unknown", process_id="2016", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:43", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:43", parent_process="unknown", parent_process_id="928", process="unknown", process_id="12232", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="928", process="unknown", process_id="1216", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="928", process="unknown", process_id="11976", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="928", process="unknown", process_id="11932", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="928", process="unknown", process_id="11888", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="11708", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="928", process="unknown", process_id="10856", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="928", process="unknown", process_id="10624", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:04", parent_process="unknown", parent_process_id="928", process="unknown", process_id="472", process_name="msiexec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:05", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:05", parent_process="unknown", parent_process_id="928", process="unknown", process_id="1976", process_name="MsiExec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:04", parent_process="unknown", parent_process_id="928", process="unknown", process_id="1872", process_name="MsiExec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:40:34", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:40:34", parent_process="unknown", parent_process_id="800", process="unknown", process_id="7940", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:41:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:41:17", parent_process="unknown", parent_process_id="1832", process="unknown", process_id="7940", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="8280", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="5940", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="5488", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="5488", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="800", process="unknown", process_id="3824", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="3824", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="800", process="unknown", process_id="3716", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:49", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:49", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="3716", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="800", process="unknown", process_id="3624", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="3624", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="2328", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="2328", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="2140", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:43", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:43", parent_process="unknown", parent_process_id="800", process="unknown", process_id="2036", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:43", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:43", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="2036", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="800", process="unknown", process_id="2016", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="2016", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:43", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:43", parent_process="unknown", parent_process_id="800", process="unknown", process_id="12232", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="800", process="unknown", process_id="1216", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="1216", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="800", process="unknown", process_id="11976", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="800", process="unknown", process_id="11932", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:38:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:38:17", parent_process="unknown", parent_process_id="800", process="unknown", process_id="11888", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="11708", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="11708", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="800", process="unknown", process_id="10856", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:48", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:48", parent_process="unknown", parent_process_id="1300", process="unknown", process_id="10856", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:42:44", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:42:44", parent_process="unknown", parent_process_id="800", process="unknown", process_id="10624", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:04", parent_process="unknown", parent_process_id="800", process="unknown", process_id="472", process_name="msiexec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:17", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:17", parent_process="unknown", parent_process_id="1832", process="unknown", process_id="472", process_name="msiexec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:05", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:05", parent_process="unknown", parent_process_id="800", process="unknown", process_id="1976", process_name="MsiExec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738982, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738978.372917000", lastTime="2023-04-17T12:43:04", parent_process="unknown", parent_process_id="800", process="unknown", process_id="1872", process_name="MsiExec.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738760, search_name="ESCU - Services LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", analyticstories="Qakbot", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\", \"Qakbot\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1543\", \"T1543.003\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1543", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.mitre_attack="T1543", annotations.mitre_attack="T1543.003", annotations.nist="DE.CM", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738756.483742000", lastTime="2023-04-17T12:43:04", parent_process="unknown", parent_process_id="676", process="unknown", process_id="472", process_name="msiexec.exe", risk_message="Services.exe spawned a LOLBAS process on $dest", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738760, search_name="ESCU - Services LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", analyticstories="Qakbot", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\", \"Qakbot\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1543\", \"T1543.003\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1543", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="Qakbot", annotations._all="CIS 10", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.analytic_story="Qakbot", annotations.cis20="CIS 10", annotations.mitre_attack="T1543", annotations.mitre_attack="T1543.003", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:04", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738756.483742000", lastTime="2023-04-17T12:43:04", parent_process="C:\\Windows\\system32\\services.exe", parent_process_id="676", process="C:\\Windows\\system32\\msiexec.exe /V", process_id="472", process_name="msiexec.exe", risk_message="Services.exe spawned a LOLBAS process on $dest", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `services.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Service Control Manager and creating a remote malicious service, the executed command is spawned as a child process of `services.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of services.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T11:52:07", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:47:16", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T11:52:07", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:47:16", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:19", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:43:19", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="5188", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:26", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:43:26", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="2480", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:19", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:43:19", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="5188", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681738733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-17T12:43:26", info_max_time="1681735800.000000000", info_min_time="1681732200.000000000", info_search_time="1681738728.766507000", lastTime="2023-04-17T12:43:26", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="2480", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681735133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T10:51:58", info_max_time="1681732200.000000000", info_min_time="1681728600.000000000", info_search_time="1681735129.038406000", lastTime="2023-04-17T11:47:06", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681735133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T10:51:58", info_max_time="1681732200.000000000", info_min_time="1681728600.000000000", info_search_time="1681735129.038406000", lastTime="2023-04-17T11:47:06", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681731533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T09:51:51", info_max_time="1681728600.000000000", info_min_time="1681725000.000000000", info_search_time="1681731528.563697000", lastTime="2023-04-17T10:46:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681731533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T09:51:51", info_max_time="1681728600.000000000", info_min_time="1681725000.000000000", info_search_time="1681731528.563697000", lastTime="2023-04-17T10:46:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681727933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T08:51:44", info_max_time="1681725000.000000000", info_min_time="1681721400.000000000", info_search_time="1681727929.011985000", lastTime="2023-04-17T09:46:51", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681727933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T08:51:44", info_max_time="1681725000.000000000", info_min_time="1681721400.000000000", info_search_time="1681727929.011985000", lastTime="2023-04-17T09:46:51", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681724333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T07:51:36", info_max_time="1681721400.000000000", info_min_time="1681717800.000000000", info_search_time="1681724329.124738000", lastTime="2023-04-17T08:46:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681724333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T07:51:36", info_max_time="1681721400.000000000", info_min_time="1681717800.000000000", info_search_time="1681724329.124738000", lastTime="2023-04-17T08:46:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681720732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T06:51:29", info_max_time="1681717800.000000000", info_min_time="1681714200.000000000", info_search_time="1681720728.608424000", lastTime="2023-04-17T07:46:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681720732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T06:51:28", info_max_time="1681717800.000000000", info_min_time="1681714200.000000000", info_search_time="1681720728.608424000", lastTime="2023-04-17T07:46:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681717132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T05:51:23", info_max_time="1681714200.000000000", info_min_time="1681710600.000000000", info_search_time="1681717128.475137000", lastTime="2023-04-17T06:46:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681717132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T05:51:23", info_max_time="1681714200.000000000", info_min_time="1681710600.000000000", info_search_time="1681717128.475137000", lastTime="2023-04-17T06:46:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681713534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T04:51:14", info_max_time="1681710600.000000000", info_min_time="1681707000.000000000", info_search_time="1681713529.266192000", lastTime="2023-04-17T05:46:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681713534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T04:51:14", info_max_time="1681710600.000000000", info_min_time="1681707000.000000000", info_search_time="1681713529.266192000", lastTime="2023-04-17T05:46:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681709933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T03:51:06", info_max_time="1681707000.000000000", info_min_time="1681703400.000000000", info_search_time="1681709928.971496000", lastTime="2023-04-17T04:46:12", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681709933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T03:51:06", info_max_time="1681707000.000000000", info_min_time="1681703400.000000000", info_search_time="1681709928.971496000", lastTime="2023-04-17T04:46:12", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681706333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T02:50:58", info_max_time="1681703400.000000000", info_min_time="1681699800.000000000", info_search_time="1681706329.198161000", lastTime="2023-04-17T03:46:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681706333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T02:50:58", info_max_time="1681703400.000000000", info_min_time="1681699800.000000000", info_search_time="1681706329.198161000", lastTime="2023-04-17T03:46:05", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681702732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T01:50:52", info_max_time="1681699800.000000000", info_min_time="1681696200.000000000", info_search_time="1681702728.489770000", lastTime="2023-04-17T02:45:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681702732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T01:50:52", info_max_time="1681699800.000000000", info_min_time="1681696200.000000000", info_search_time="1681702728.489770000", lastTime="2023-04-17T02:45:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681699133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T00:50:45", info_max_time="1681696200.000000000", info_min_time="1681692600.000000000", info_search_time="1681699128.751616000", lastTime="2023-04-17T01:45:51", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681699133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-17T00:50:45", info_max_time="1681696200.000000000", info_min_time="1681692600.000000000", info_search_time="1681699128.751616000", lastTime="2023-04-17T01:45:51", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681695533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T23:50:37", info_max_time="1681692600.000000000", info_min_time="1681689000.000000000", info_search_time="1681695529.231234000", lastTime="2023-04-17T00:45:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681695533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T23:50:37", info_max_time="1681692600.000000000", info_min_time="1681689000.000000000", info_search_time="1681695529.231234000", lastTime="2023-04-17T00:45:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681691933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T22:50:30", info_max_time="1681689000.000000000", info_min_time="1681685400.000000000", info_search_time="1681691929.074399000", lastTime="2023-04-16T23:45:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681691933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T22:50:30", info_max_time="1681689000.000000000", info_min_time="1681685400.000000000", info_search_time="1681691929.074399000", lastTime="2023-04-16T23:45:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681688334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T21:50:23", info_max_time="1681685400.000000000", info_min_time="1681681800.000000000", info_search_time="1681688329.283109000", lastTime="2023-04-16T22:45:29", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681688334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T21:50:23", info_max_time="1681685400.000000000", info_min_time="1681681800.000000000", info_search_time="1681688329.283109000", lastTime="2023-04-16T22:45:29", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681684733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T20:50:16", info_max_time="1681681800.000000000", info_min_time="1681678200.000000000", info_search_time="1681684728.829767000", lastTime="2023-04-16T21:45:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681684733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T20:50:16", info_max_time="1681681800.000000000", info_min_time="1681678200.000000000", info_search_time="1681684728.829767000", lastTime="2023-04-16T21:45:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681681133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T19:50:07", info_max_time="1681678200.000000000", info_min_time="1681674600.000000000", info_search_time="1681681129.028447000", lastTime="2023-04-16T20:45:15", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681681133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T19:50:07", info_max_time="1681678200.000000000", info_min_time="1681674600.000000000", info_search_time="1681681129.028447000", lastTime="2023-04-16T20:45:15", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681677533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T18:50:01", info_max_time="1681674600.000000000", info_min_time="1681671000.000000000", info_search_time="1681677528.914400000", lastTime="2023-04-16T19:45:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681677533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T18:50:01", info_max_time="1681674600.000000000", info_min_time="1681671000.000000000", info_search_time="1681677528.914400000", lastTime="2023-04-16T19:45:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681673932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T17:54:54", info_max_time="1681671000.000000000", info_min_time="1681667400.000000000", info_search_time="1681673928.413323000", lastTime="2023-04-16T18:44:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681673932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T17:54:54", info_max_time="1681671000.000000000", info_min_time="1681667400.000000000", info_search_time="1681673928.413323000", lastTime="2023-04-16T18:44:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681670334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T16:54:48", info_max_time="1681667400.000000000", info_min_time="1681663800.000000000", info_search_time="1681670329.044280000", lastTime="2023-04-16T17:49:53", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681670334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T16:54:48", info_max_time="1681667400.000000000", info_min_time="1681663800.000000000", info_search_time="1681670329.044280000", lastTime="2023-04-16T17:49:53", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681666733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T15:54:40", info_max_time="1681663800.000000000", info_min_time="1681660200.000000000", info_search_time="1681666728.633478000", lastTime="2023-04-16T16:49:47", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681666733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T15:54:40", info_max_time="1681663800.000000000", info_min_time="1681660200.000000000", info_search_time="1681666728.633478000", lastTime="2023-04-16T16:49:47", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681663134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T14:54:33", info_max_time="1681660200.000000000", info_min_time="1681656600.000000000", info_search_time="1681663129.065132000", lastTime="2023-04-16T15:49:40", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681663134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T14:54:33", info_max_time="1681660200.000000000", info_min_time="1681656600.000000000", info_search_time="1681663129.065132000", lastTime="2023-04-16T15:49:40", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681659534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T13:54:25", info_max_time="1681656600.000000000", info_min_time="1681653000.000000000", info_search_time="1681659528.406281000", lastTime="2023-04-16T14:49:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681659534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T13:54:25", info_max_time="1681656600.000000000", info_min_time="1681653000.000000000", info_search_time="1681659528.406281000", lastTime="2023-04-16T14:49:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681655934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T12:54:18", info_max_time="1681653000.000000000", info_min_time="1681649400.000000000", info_search_time="1681655928.825197000", lastTime="2023-04-16T13:49:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681655934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T12:54:18", info_max_time="1681653000.000000000", info_min_time="1681649400.000000000", info_search_time="1681655928.825197000", lastTime="2023-04-16T13:49:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681652335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T11:54:11", info_max_time="1681649400.000000000", info_min_time="1681645800.000000000", info_search_time="1681652329.196339000", lastTime="2023-04-16T12:49:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681652335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T11:54:11", info_max_time="1681649400.000000000", info_min_time="1681645800.000000000", info_search_time="1681652329.196339000", lastTime="2023-04-16T12:49:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681648735, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T10:54:03", info_max_time="1681645800.000000000", info_min_time="1681642200.000000000", info_search_time="1681648728.937459000", lastTime="2023-04-16T11:49:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681648735, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T10:54:03", info_max_time="1681645800.000000000", info_min_time="1681642200.000000000", info_search_time="1681648728.937459000", lastTime="2023-04-16T11:49:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681645135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T09:53:56", info_max_time="1681642200.000000000", info_min_time="1681638600.000000000", info_search_time="1681645129.224322000", lastTime="2023-04-16T10:49:03", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681645135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T09:53:56", info_max_time="1681642200.000000000", info_min_time="1681638600.000000000", info_search_time="1681645129.224322000", lastTime="2023-04-16T10:49:03", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681641536, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T08:53:50", info_max_time="1681638600.000000000", info_min_time="1681635000.000000000", info_search_time="1681641530.354056000", lastTime="2023-04-16T09:48:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681641536, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T08:53:50", info_max_time="1681638600.000000000", info_min_time="1681635000.000000000", info_search_time="1681641530.354056000", lastTime="2023-04-16T09:48:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681637934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T07:53:43", info_max_time="1681635000.000000000", info_min_time="1681631400.000000000", info_search_time="1681637929.029669000", lastTime="2023-04-16T08:48:49", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681637934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T07:53:43", info_max_time="1681635000.000000000", info_min_time="1681631400.000000000", info_search_time="1681637929.029669000", lastTime="2023-04-16T08:48:49", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681634335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T06:53:36", info_max_time="1681631400.000000000", info_min_time="1681627800.000000000", info_search_time="1681634329.326386000", lastTime="2023-04-16T07:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681634335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T06:53:36", info_max_time="1681631400.000000000", info_min_time="1681627800.000000000", info_search_time="1681634329.326386000", lastTime="2023-04-16T07:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681630733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T05:53:28", info_max_time="1681627800.000000000", info_min_time="1681624200.000000000", info_search_time="1681630728.852133000", lastTime="2023-04-16T06:48:35", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681630733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T05:53:28", info_max_time="1681627800.000000000", info_min_time="1681624200.000000000", info_search_time="1681630728.852133000", lastTime="2023-04-16T06:48:35", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681627134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T04:53:21", info_max_time="1681624200.000000000", info_min_time="1681620600.000000000", info_search_time="1681627129.305964000", lastTime="2023-04-16T05:48:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681627134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T04:53:21", info_max_time="1681624200.000000000", info_min_time="1681620600.000000000", info_search_time="1681627129.305964000", lastTime="2023-04-16T05:48:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681623534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T03:53:14", info_max_time="1681620600.000000000", info_min_time="1681617000.000000000", info_search_time="1681623529.049816000", lastTime="2023-04-16T04:48:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681623534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T03:53:14", info_max_time="1681620600.000000000", info_min_time="1681617000.000000000", info_search_time="1681623529.049816000", lastTime="2023-04-16T04:48:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681619934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T02:53:08", info_max_time="1681617000.000000000", info_min_time="1681613400.000000000", info_search_time="1681619928.454396000", lastTime="2023-04-16T03:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681619934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T02:53:08", info_max_time="1681617000.000000000", info_min_time="1681613400.000000000", info_search_time="1681619928.454396000", lastTime="2023-04-16T03:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681616333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T01:53:01", info_max_time="1681613400.000000000", info_min_time="1681609800.000000000", info_search_time="1681616328.493798000", lastTime="2023-04-16T02:48:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681616333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T01:53:01", info_max_time="1681613400.000000000", info_min_time="1681609800.000000000", info_search_time="1681616328.493798000", lastTime="2023-04-16T02:48:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681612734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T00:52:55", info_max_time="1681609800.000000000", info_min_time="1681606200.000000000", info_search_time="1681612728.868622000", lastTime="2023-04-16T01:48:01", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681612734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-16T00:52:55", info_max_time="1681609800.000000000", info_min_time="1681606200.000000000", info_search_time="1681612728.868622000", lastTime="2023-04-16T01:48:01", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681609134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T23:52:48", info_max_time="1681606200.000000000", info_min_time="1681602600.000000000", info_search_time="1681609128.883934000", lastTime="2023-04-16T00:47:54", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681609134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T23:52:48", info_max_time="1681606200.000000000", info_min_time="1681602600.000000000", info_search_time="1681609128.883934000", lastTime="2023-04-16T00:47:54", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681605534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T22:52:41", info_max_time="1681602600.000000000", info_min_time="1681599000.000000000", info_search_time="1681605529.116458000", lastTime="2023-04-15T23:47:48", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681605534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T22:52:41", info_max_time="1681602600.000000000", info_min_time="1681599000.000000000", info_search_time="1681605529.116458000", lastTime="2023-04-15T23:47:48", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681601933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T21:52:34", info_max_time="1681599000.000000000", info_min_time="1681595400.000000000", info_search_time="1681601928.965464000", lastTime="2023-04-15T22:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681601933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T21:52:34", info_max_time="1681599000.000000000", info_min_time="1681595400.000000000", info_search_time="1681601928.965464000", lastTime="2023-04-15T22:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681598333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T20:52:26", info_max_time="1681595400.000000000", info_min_time="1681591800.000000000", info_search_time="1681598328.701120000", lastTime="2023-04-15T21:47:33", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681598333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T20:52:26", info_max_time="1681595400.000000000", info_min_time="1681591800.000000000", info_search_time="1681598328.701120000", lastTime="2023-04-15T21:47:33", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681594733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T19:52:18", info_max_time="1681591800.000000000", info_min_time="1681588200.000000000", info_search_time="1681594729.039091000", lastTime="2023-04-15T20:47:26", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681594733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T19:52:18", info_max_time="1681591800.000000000", info_min_time="1681588200.000000000", info_search_time="1681594729.039091000", lastTime="2023-04-15T20:47:26", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681591132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T18:52:10", info_max_time="1681588200.000000000", info_min_time="1681584600.000000000", info_search_time="1681591128.534517000", lastTime="2023-04-15T19:47:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681591132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T18:52:10", info_max_time="1681588200.000000000", info_min_time="1681584600.000000000", info_search_time="1681591128.534517000", lastTime="2023-04-15T19:47:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681587533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T17:52:01", info_max_time="1681584600.000000000", info_min_time="1681581000.000000000", info_search_time="1681587529.223209000", lastTime="2023-04-15T18:47:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681587533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T17:52:01", info_max_time="1681584600.000000000", info_min_time="1681581000.000000000", info_search_time="1681587529.223209000", lastTime="2023-04-15T18:47:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681583933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T16:51:54", info_max_time="1681581000.000000000", info_min_time="1681577400.000000000", info_search_time="1681583929.007102000", lastTime="2023-04-15T17:47:00", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681583933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T16:51:54", info_max_time="1681581000.000000000", info_min_time="1681577400.000000000", info_search_time="1681583929.007102000", lastTime="2023-04-15T17:47:00", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681580333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T15:51:47", info_max_time="1681577400.000000000", info_min_time="1681573800.000000000", info_search_time="1681580329.161523000", lastTime="2023-04-15T16:46:54", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681580333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T15:51:47", info_max_time="1681577400.000000000", info_min_time="1681573800.000000000", info_search_time="1681580329.161523000", lastTime="2023-04-15T16:46:54", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681576733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T14:51:40", info_max_time="1681573800.000000000", info_min_time="1681570200.000000000", info_search_time="1681576728.818055000", lastTime="2023-04-15T15:46:47", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681576733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T14:51:40", info_max_time="1681573800.000000000", info_min_time="1681570200.000000000", info_search_time="1681576728.818055000", lastTime="2023-04-15T15:46:47", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681573132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T13:51:33", info_max_time="1681570200.000000000", info_min_time="1681566600.000000000", info_search_time="1681573128.705515000", lastTime="2023-04-15T14:46:39", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681573132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T13:51:33", info_max_time="1681570200.000000000", info_min_time="1681566600.000000000", info_search_time="1681573128.705515000", lastTime="2023-04-15T14:46:39", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681569533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T12:51:25", info_max_time="1681566600.000000000", info_min_time="1681563000.000000000", info_search_time="1681569528.817536000", lastTime="2023-04-15T13:46:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681569533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T12:51:25", info_max_time="1681566600.000000000", info_min_time="1681563000.000000000", info_search_time="1681569528.817536000", lastTime="2023-04-15T13:46:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681565933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T11:51:18", info_max_time="1681563000.000000000", info_min_time="1681559400.000000000", info_search_time="1681565928.922100000", lastTime="2023-04-15T12:46:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681565933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T11:51:18", info_max_time="1681563000.000000000", info_min_time="1681559400.000000000", info_search_time="1681565928.922100000", lastTime="2023-04-15T12:46:25", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681562333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T10:51:11", info_max_time="1681559400.000000000", info_min_time="1681555800.000000000", info_search_time="1681562329.068373000", lastTime="2023-04-15T11:46:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681562333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T10:51:11", info_max_time="1681559400.000000000", info_min_time="1681555800.000000000", info_search_time="1681562329.068373000", lastTime="2023-04-15T11:46:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681558732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T09:51:03", info_max_time="1681555800.000000000", info_min_time="1681552200.000000000", info_search_time="1681558728.880941000", lastTime="2023-04-15T10:46:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681558732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T09:51:03", info_max_time="1681555800.000000000", info_min_time="1681552200.000000000", info_search_time="1681558728.880941000", lastTime="2023-04-15T10:46:10", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681555133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T08:50:56", info_max_time="1681552200.000000000", info_min_time="1681548600.000000000", info_search_time="1681555129.397104000", lastTime="2023-04-15T09:46:03", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681555133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T08:50:56", info_max_time="1681552200.000000000", info_min_time="1681548600.000000000", info_search_time="1681555129.397104000", lastTime="2023-04-15T09:46:03", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681551532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T07:50:50", info_max_time="1681548600.000000000", info_min_time="1681545000.000000000", info_search_time="1681551528.791793000", lastTime="2023-04-15T08:45:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681551532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T07:50:50", info_max_time="1681548600.000000000", info_min_time="1681545000.000000000", info_search_time="1681551528.791793000", lastTime="2023-04-15T08:45:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681547933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T06:50:44", info_max_time="1681545000.000000000", info_min_time="1681541400.000000000", info_search_time="1681547929.253157000", lastTime="2023-04-15T07:45:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681547933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T06:50:44", info_max_time="1681545000.000000000", info_min_time="1681541400.000000000", info_search_time="1681547929.253157000", lastTime="2023-04-15T07:45:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681544332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T05:50:36", info_max_time="1681541400.000000000", info_min_time="1681537800.000000000", info_search_time="1681544328.488917000", lastTime="2023-04-15T06:45:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681544332, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T05:50:36", info_max_time="1681541400.000000000", info_min_time="1681537800.000000000", info_search_time="1681544328.488917000", lastTime="2023-04-15T06:45:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681540732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T04:50:29", info_max_time="1681537800.000000000", info_min_time="1681534200.000000000", info_search_time="1681540728.757600000", lastTime="2023-04-15T05:45:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681540732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T04:50:29", info_max_time="1681537800.000000000", info_min_time="1681534200.000000000", info_search_time="1681540728.757600000", lastTime="2023-04-15T05:45:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681537132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T03:50:22", info_max_time="1681534200.000000000", info_min_time="1681530600.000000000", info_search_time="1681537128.799459000", lastTime="2023-04-15T04:45:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681537132, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T03:50:22", info_max_time="1681534200.000000000", info_min_time="1681530600.000000000", info_search_time="1681537128.799459000", lastTime="2023-04-15T04:45:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681533532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T02:50:15", info_max_time="1681530600.000000000", info_min_time="1681527000.000000000", info_search_time="1681533528.493378000", lastTime="2023-04-15T03:45:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681533532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T02:50:15", info_max_time="1681530600.000000000", info_min_time="1681527000.000000000", info_search_time="1681533528.493378000", lastTime="2023-04-15T03:45:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681529933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T01:50:09", info_max_time="1681527000.000000000", info_min_time="1681523400.000000000", info_search_time="1681529928.781120000", lastTime="2023-04-15T02:45:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681529933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T01:50:09", info_max_time="1681527000.000000000", info_min_time="1681523400.000000000", info_search_time="1681529928.781120000", lastTime="2023-04-15T02:45:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681526333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T00:50:00", info_max_time="1681523400.000000000", info_min_time="1681519800.000000000", info_search_time="1681526329.600072000", lastTime="2023-04-15T01:45:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681526333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-15T00:50:00", info_max_time="1681523400.000000000", info_min_time="1681519800.000000000", info_search_time="1681526329.600072000", lastTime="2023-04-15T01:45:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681522733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T23:54:53", info_max_time="1681519800.000000000", info_min_time="1681516200.000000000", info_search_time="1681522729.153153000", lastTime="2023-04-15T00:44:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681522733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T23:54:53", info_max_time="1681519800.000000000", info_min_time="1681516200.000000000", info_search_time="1681522729.153153000", lastTime="2023-04-15T00:44:59", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681519133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T22:54:47", info_max_time="1681516200.000000000", info_min_time="1681512600.000000000", info_search_time="1681519129.001577000", lastTime="2023-04-14T23:49:53", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681519133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T22:54:47", info_max_time="1681516200.000000000", info_min_time="1681512600.000000000", info_search_time="1681519129.001577000", lastTime="2023-04-14T23:49:53", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681515533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T21:54:38", info_max_time="1681512600.000000000", info_min_time="1681509000.000000000", info_search_time="1681515529.245408000", lastTime="2023-04-14T22:49:46", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681515533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T21:54:38", info_max_time="1681512600.000000000", info_min_time="1681509000.000000000", info_search_time="1681515529.245408000", lastTime="2023-04-14T22:49:46", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681511933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T20:54:31", info_max_time="1681509000.000000000", info_min_time="1681505400.000000000", info_search_time="1681511928.663098000", lastTime="2023-04-14T21:49:39", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681511933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T20:54:31", info_max_time="1681509000.000000000", info_min_time="1681505400.000000000", info_search_time="1681511928.663098000", lastTime="2023-04-14T21:49:39", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681508333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T19:54:23", info_max_time="1681505400.000000000", info_min_time="1681501800.000000000", info_search_time="1681508329.414409000", lastTime="2023-04-14T20:49:31", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681508333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T19:54:23", info_max_time="1681505400.000000000", info_min_time="1681501800.000000000", info_search_time="1681508329.414409000", lastTime="2023-04-14T20:49:31", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:20:46", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:20:46", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6932", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:20:46", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:20:46", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="6932", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:13:05", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:13:06", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="200", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:13:05", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:13:05", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="200", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:19:43", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:19:43", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1604", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T19:19:43", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:19:43", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1604", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T18:54:15", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:49:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681504734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T18:54:15", info_max_time="1681501800.000000000", info_min_time="1681498200.000000000", info_search_time="1681504729.188930000", lastTime="2023-04-14T19:49:22", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501897, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="SamSam Ransomware", annotations._all="CIS 13", annotations._all="T1021", annotations._all="T1021.001", annotations._all="Ryuk Ransomware", annotations._all="Active Directory Lateral Movement", annotations._all="Hidden Cobra Malware", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-14T18:09:34", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501891.357628000", lastTime="2023-04-14T18:09:34", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681501382, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:09:36", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501378.096732000", lastTime="2023-04-14T18:09:36", parent_process="unknown", parent_process_id="680", process="unknown", process_id="2180", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:18:45", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:18:45", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="6136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:12:45", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:12:45", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="6136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:12:45", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:12:45", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="6136", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:19:15", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:19:15", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5712", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:25:11", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:25:11", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="5568", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:19:11", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:19:11", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5568", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:19:11", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:19:11", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5568", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:09:36", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:09:36", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4596", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:19:13", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:19:13", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4496", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:19:13", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:19:13", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="4496", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:09:36", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:09:36", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T18:09:36", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:09:36", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T17:54:07", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:49:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T17:54:07", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:49:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="7", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T18:22:24", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:22:24", parent_process_id="4220", parent_process_name="wmiprvse.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681501134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="7", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T18:22:24", info_max_time="1681498200.000000000", info_min_time="1681494600.000000000", info_search_time="1681501130.093933000", lastTime="2023-04-14T18:22:24", parent_process_id="4220", parent_process_name="wmiprvse.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681497534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T16:53:56", info_max_time="1681494600.000000000", info_min_time="1681491000.000000000", info_search_time="1681497529.630920000", lastTime="2023-04-14T17:49:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681497534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T16:53:56", info_max_time="1681494600.000000000", info_min_time="1681491000.000000000", info_search_time="1681497529.630920000", lastTime="2023-04-14T17:49:08", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681494183, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T15:51:46", info_max_time="1681491000.000000000", info_min_time="1681487400.000000000", info_search_time="1681494178.765519000", lastTime="2023-04-14T15:51:46", parent_process="unknown", parent_process_id="928", process="unknown", process_id="10464", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681494183, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="T1053", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T15:51:46", info_max_time="1681491000.000000000", info_min_time="1681487400.000000000", info_search_time="1681494178.765519000", lastTime="2023-04-14T15:51:46", parent_process="unknown", parent_process_id="800", process="unknown", process_id="10464", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681493934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T15:53:51", info_max_time="1681491000.000000000", info_min_time="1681487400.000000000", info_search_time="1681493928.828099000", lastTime="2023-04-14T16:48:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681493934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T15:53:51", info_max_time="1681491000.000000000", info_min_time="1681487400.000000000", info_search_time="1681493928.828099000", lastTime="2023-04-14T16:48:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681490334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T14:53:44", info_max_time="1681487400.000000000", info_min_time="1681483800.000000000", info_search_time="1681490328.812892000", lastTime="2023-04-14T15:48:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681490334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T14:53:44", info_max_time="1681487400.000000000", info_min_time="1681483800.000000000", info_search_time="1681490328.812892000", lastTime="2023-04-14T15:48:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681487495, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hidden Cobra Malware", annotations._all="CIS 13", annotations._all="SamSam Ransomware", annotations._all="DE.AE", annotations._all="Ryuk Ransomware", annotations._all="T1021.001", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="2", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-14T14:28:44", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681487489.966943000", lastTime="2023-04-14T14:28:49", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T14:28:50", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T14:28:50", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4596", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T14:28:50", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T14:28:50", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-14T14:28:50", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T14:28:50", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T13:53:37", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T14:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T13:53:37", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T14:48:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:54:22", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:54:22", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="9104", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:55:58", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:55:58", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:54:25", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:54:25", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="5848", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:54:22", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:54:22", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="9104", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:55:58", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:55:58", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681486734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-14T13:54:25", info_max_time="1681483800.000000000", info_min_time="1681480200.000000000", info_search_time="1681486728.941691000", lastTime="2023-04-14T13:54:25", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="5848", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681483134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T12:53:30", info_max_time="1681480200.000000000", info_min_time="1681476600.000000000", info_search_time="1681483128.848907000", lastTime="2023-04-14T13:48:37", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681483134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T12:53:30", info_max_time="1681480200.000000000", info_min_time="1681476600.000000000", info_search_time="1681483128.848907000", lastTime="2023-04-14T13:48:37", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681479534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T11:53:23", info_max_time="1681476600.000000000", info_min_time="1681473000.000000000", info_search_time="1681479528.829722000", lastTime="2023-04-14T12:48:30", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681479534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T11:53:23", info_max_time="1681476600.000000000", info_min_time="1681473000.000000000", info_search_time="1681479528.829722000", lastTime="2023-04-14T12:48:30", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681475932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T10:53:14", info_max_time="1681473000.000000000", info_min_time="1681469400.000000000", info_search_time="1681475928.462970000", lastTime="2023-04-14T11:48:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681475932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T10:53:14", info_max_time="1681473000.000000000", info_min_time="1681469400.000000000", info_search_time="1681475928.462970000", lastTime="2023-04-14T11:48:21", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681472333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T09:53:08", info_max_time="1681469400.000000000", info_min_time="1681465800.000000000", info_search_time="1681472328.584838000", lastTime="2023-04-14T10:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681472333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T09:53:08", info_max_time="1681469400.000000000", info_min_time="1681465800.000000000", info_search_time="1681472328.584838000", lastTime="2023-04-14T10:48:14", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681468733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T08:53:01", info_max_time="1681465800.000000000", info_min_time="1681462200.000000000", info_search_time="1681468729.050718000", lastTime="2023-04-14T09:48:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681468733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T08:53:01", info_max_time="1681465800.000000000", info_min_time="1681462200.000000000", info_search_time="1681468729.050718000", lastTime="2023-04-14T09:48:07", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681465133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T07:52:55", info_max_time="1681462200.000000000", info_min_time="1681458600.000000000", info_search_time="1681465128.790115000", lastTime="2023-04-14T08:48:01", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681465133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T07:52:55", info_max_time="1681462200.000000000", info_min_time="1681458600.000000000", info_search_time="1681465128.790115000", lastTime="2023-04-14T08:48:01", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681461534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T06:52:50", info_max_time="1681458600.000000000", info_min_time="1681455000.000000000", info_search_time="1681461529.549148000", lastTime="2023-04-14T07:47:55", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681461534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T06:52:50", info_max_time="1681458600.000000000", info_min_time="1681455000.000000000", info_search_time="1681461529.549148000", lastTime="2023-04-14T07:47:55", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681457934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T05:52:43", info_max_time="1681455000.000000000", info_min_time="1681451400.000000000", info_search_time="1681457929.231598000", lastTime="2023-04-14T06:47:48", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681457934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T05:52:43", info_max_time="1681455000.000000000", info_min_time="1681451400.000000000", info_search_time="1681457929.231598000", lastTime="2023-04-14T06:47:48", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681454333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T04:52:35", info_max_time="1681451400.000000000", info_min_time="1681447800.000000000", info_search_time="1681454328.882209000", lastTime="2023-04-14T05:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681454333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T04:52:35", info_max_time="1681451400.000000000", info_min_time="1681447800.000000000", info_search_time="1681454328.882209000", lastTime="2023-04-14T05:47:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681450732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T03:52:27", info_max_time="1681447800.000000000", info_min_time="1681444200.000000000", info_search_time="1681450728.667045000", lastTime="2023-04-14T04:47:34", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681450732, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T03:52:27", info_max_time="1681447800.000000000", info_min_time="1681444200.000000000", info_search_time="1681450728.667045000", lastTime="2023-04-14T04:47:34", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681447133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T02:52:21", info_max_time="1681444200.000000000", info_min_time="1681440600.000000000", info_search_time="1681447129.200455000", lastTime="2023-04-14T03:47:27", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681447133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="T1021.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T02:52:21", info_max_time="1681444200.000000000", info_min_time="1681440600.000000000", info_search_time="1681447129.200455000", lastTime="2023-04-14T03:47:27", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681443532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T01:52:12", info_max_time="1681440600.000000000", info_min_time="1681437000.000000000", info_search_time="1681443528.629871000", lastTime="2023-04-14T02:47:19", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681443532, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="Source:Endpoint", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T01:52:12", info_max_time="1681440600.000000000", info_min_time="1681437000.000000000", info_search_time="1681443528.629871000", lastTime="2023-04-14T02:47:19", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681439932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T00:52:04", info_max_time="1681437000.000000000", info_min_time="1681433400.000000000", info_search_time="1681439928.529895000", lastTime="2023-04-14T01:47:11", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681439932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-14T00:52:04", info_max_time="1681437000.000000000", info_min_time="1681433400.000000000", info_search_time="1681439928.529895000", lastTime="2023-04-14T01:47:11", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681436333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T23:51:57", info_max_time="1681433400.000000000", info_min_time="1681429800.000000000", info_search_time="1681436329.005917000", lastTime="2023-04-14T00:47:04", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681436333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T23:51:57", info_max_time="1681433400.000000000", info_min_time="1681429800.000000000", info_search_time="1681436329.005917000", lastTime="2023-04-14T00:47:04", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681432733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T22:51:50", info_max_time="1681429800.000000000", info_min_time="1681426200.000000000", info_search_time="1681432729.571210000", lastTime="2023-04-13T23:46:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681432733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1047", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T22:51:50", info_max_time="1681429800.000000000", info_min_time="1681426200.000000000", info_search_time="1681432729.571210000", lastTime="2023-04-13T23:46:56", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681429133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:51:44", info_max_time="1681426200.000000000", info_min_time="1681422600.000000000", info_search_time="1681429129.396383000", lastTime="2023-04-13T22:46:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681429133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1543.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:51:44", info_max_time="1681426200.000000000", info_min_time="1681422600.000000000", info_search_time="1681429129.396383000", lastTime="2023-04-13T22:46:50", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681426296, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="Hidden Cobra Malware", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 13", annotations._all="Ryuk Ransomware", annotations._all="SamSam Ransomware", annotations._all="T1021.001", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="2", dest="10.0.1.15", dest_port="3389", firstTime="2023-04-13T21:01:54", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681426289.702187000", lastTime="2023-04-13T21:03:41", risk_message="tbd", risk_object="10.0.1.15", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-server.attackrange.local", firstTime="2023-04-13T21:08:34", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:11:23", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T21:02:33", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:02:33", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3420", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="9", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:06:39", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:46:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T20:51:36", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:46:43", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:10:25", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:13:46", parent_process_id="752", parent_process_name="svchost.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:03:43", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:03:43", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T21:04:09", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:04:09", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="19312", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T21:09:31", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:09:31", parent_process_id="844", parent_process_name="svchost.exe", process="unknown", process_id="5592", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T21:03:28", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:03:30", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="5592", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T21:03:28", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:03:28", parent_process_id="1240", parent_process_name="svchost.exe", process="unknown", process_id="5592", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T21:09:54", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:12:17", parent_process_id="844", parent_process_name="svchost.exe", process="unknown", process_id="3864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T21:03:53", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:03:53", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:54:39", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:11:28", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:50:44", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T20:50:44", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:50:32", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T20:50:32", parent_process_id="676", parent_process_name="services.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:50:44", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T20:50:44", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:51:41", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T21:11:28", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8004", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681425533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="16", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:53:09", info_max_time="1681422600.000000000", info_min_time="1681419000.000000000", info_search_time="1681425529.049996000", lastTime="2023-04-13T20:56:41", parent_process_id="6044", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T19:51:29", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:46:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:19", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:24:19", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:19", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:24:20", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:19", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:24:19", parent_process_id="1848", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:32", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:49:38", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:18", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:24:18", parent_process_id="10176", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:41:33", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:41:33", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="2584", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:26:59", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:26:59", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="2432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T19:54:33", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:09:35", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="8", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:26:39", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:48:41", parent_process_id="676", parent_process_name="services.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:41:33", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:41:33", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="2584", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:41:38", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:44:38", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="2584", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:26:59", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:26:59", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="2432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:27:33", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:39:37", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="2432", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="24", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:24:57", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:37:49", parent_process_id="6044", parent_process_name="svchost.exe", process="unknown", process_id="8440", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"
1681421932, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T20:23:57", info_max_time="1681419000.000000000", info_min_time="1681415400.000000000", info_search_time="1681421928.848284000", lastTime="2023-04-13T20:23:57", parent_process_id="6044", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:13", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:13", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="960", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:13", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:13", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="960", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:08:54", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:08:54", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="940", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:08:54", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:08:54", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="940", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:40", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:14", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5940", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:41", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:14", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5940", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:15:01", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:15:01", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5924", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:15:01", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:15:01", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5924", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:43", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:43", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5700", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:43", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:43", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5700", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:05:12", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:29:35", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5680", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:05:12", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:29:35", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5680", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:59", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:59", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5636", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:59", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:59", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5636", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:58:07", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:58:07", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5392", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:58:07", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:58:07", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5392", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:25", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:25", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:26", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:26", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:37", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:37", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5160", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:38", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:38", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5160", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:32:50", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:32:50", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5020", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:32:50", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:32:50", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5020", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:44", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5016", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:44", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5016", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:42", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:42", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4784", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:42", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:42", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="4784", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:34", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:34", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3964", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:34", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:34", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3964", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:32:00", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:32:00", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3924", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:32:00", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:32:00", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3924", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:55", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:55", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3736", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:14:56", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:14:56", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3736", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:35", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:35", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3620", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:35", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:35", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3620", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:40", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:40", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3408", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:41", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:41", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3408", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:26", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:26", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3232", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:26", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:26", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3232", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:59", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:59", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3132", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:59", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:59", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3132", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:58", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:58", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2808", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:58", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:58", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="2808", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:08:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:08:44", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2460", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:08:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:08:44", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="2460", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:15:17", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:15:17", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1608", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:15:18", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:15:18", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1608", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:58:11", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:58:11", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1396", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:58:11", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:58:11", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1396", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:44", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:31:44", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:31:44", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:48", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:48", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1284", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:04:49", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:04:49", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1284", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:45", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:45", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1204", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T19:25:45", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:25:45", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1204", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:57:57", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:57:57", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1072", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:57:57", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T18:57:57", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1072", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T18:51:21", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:46:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="7", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T19:35:19", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:35:20", parent_process_id="4220", parent_process_name="wmiprvse.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T19:49:33", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:49:33", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681418333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="5", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T19:45:58", info_max_time="1681415400.000000000", info_min_time="1681411800.000000000", info_search_time="1681418328.728493000", lastTime="2023-04-13T19:45:58", parent_process_id="6044", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:22:32", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:22:32", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="640", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:22:32", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:22:32", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="640", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:23:26", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:23:26", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="5864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:23:26", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:23:26", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="5864", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-13T18:40:58", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:40:58", parent_process_id="744", parent_process_name="svchost.exe", process="unknown", process_id="4596", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T17:51:14", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:46:20", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681414733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Stage:Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T18:24:26", info_max_time="1681411800.000000000", info_min_time="1681408200.000000000", info_search_time="1681414729.243679000", lastTime="2023-04-13T18:44:28", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:21:39", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:21:39", parent_process="unknown", parent_process_id="928", process="unknown", process_id="9332", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:40:27", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:40:27", parent_process="unknown", parent_process_id="928", process="unknown", process_id="4760", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:40:29", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:40:29", parent_process="unknown", parent_process_id="3084", process="unknown", process_id="4760", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:25:56", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:25:56", parent_process="unknown", parent_process_id="928", process="unknown", process_id="10920", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="928", process="unknown", process_id="956", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="928", process="unknown", process_id="7336", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="928", process="unknown", process_id="2596", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:21:39", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:21:39", parent_process="unknown", parent_process_id="800", process="unknown", process_id="9332", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:22:22", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:24:21", parent_process="unknown", parent_process_id="1832", process="unknown", process_id="9332", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:40:27", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:40:27", parent_process="unknown", parent_process_id="800", process="unknown", process_id="4760", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:40:33", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:40:33", parent_process="unknown", parent_process_id="1832", process="unknown", process_id="4760", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:25:56", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:25:56", parent_process="unknown", parent_process_id="800", process="unknown", process_id="10920", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:26:24", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:26:24", parent_process="unknown", parent_process_id="1832", process="unknown", process_id="10920", process_name="wuauclt.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="800", process="unknown", process_id="956", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="800", process="unknown", process_id="7336", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411385, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="DE.CM", annotations._all="T1053", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:18:59", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411379.340982000", lastTime="2023-04-13T17:18:59", parent_process="unknown", parent_process_id="800", process="unknown", process_id="2596", process_name="schtasks.exe", risk_message="Svchost.exe spawned a LOLBAS process on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T16:51:05", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:46:13", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="35", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:36:15", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:44:18", parent_process_id="3908", parent_process_name="wmiprvse.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:30", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:30", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="8916", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:20", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:20", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="5676", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:24:20", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:24:20", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="8", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:29", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:39:33", parent_process_id="3908", parent_process_name="wmiprvse.exe", process="unknown", process_id="8916", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:17", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:39", parent_process_id="3908", parent_process_name="wmiprvse.exe", process="unknown", process_id="5676", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:30", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:30", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="8916", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:32", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:32", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="8916", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:20", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:20", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="5676", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681411134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="T1021.003", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-13T17:38:32", info_max_time="1681408200.000000000", info_min_time="1681404600.000000000", info_search_time="1681411129.385074000", lastTime="2023-04-13T17:38:32", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="5676", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681407533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T15:50:55", info_max_time="1681404600.000000000", info_min_time="1681401000.000000000", info_search_time="1681407529.380607000", lastTime="2023-04-13T16:46:03", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681404696, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1021.001", annotations._all="Active Directory Lateral Movement", annotations._all="Ryuk Ransomware", annotations._all="SamSam Ransomware", annotations._all="DE.AE", annotations._all="T1021", annotations._all="CIS 13", annotations._all="Hidden Cobra Malware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-13T15:24:18", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681404690.258507000", lastTime="2023-04-13T15:24:18", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681404696, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="T1021.001", annotations._all="Active Directory Lateral Movement", annotations._all="Ryuk Ransomware", annotations._all="SamSam Ransomware", annotations._all="DE.AE", annotations._all="T1021", annotations._all="CIS 13", annotations._all="Hidden Cobra Malware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.14", dest_port="3389", firstTime="2023-04-13T15:24:17", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681404690.258507000", lastTime="2023-04-13T15:24:17", risk_message="tbd", risk_object="10.0.1.14", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681404183, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="T1053", annotations._all="CIS 10", annotations._all="DE.CM", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T15:24:19", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681404178.677087000", lastTime="2023-04-13T15:24:19", parent_process="unknown", parent_process_id="680", process="unknown", process_id="5232", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681403933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T15:24:19", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681403928.852095000", lastTime="2023-04-13T15:24:19", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4596", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681403933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-13T15:24:19", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681403928.852095000", lastTime="2023-04-13T15:24:19", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681403933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T14:50:50", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681403928.852095000", lastTime="2023-04-13T15:45:55", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681403933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1053.005", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1059.001", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-13T15:24:18", info_max_time="1681401000.000000000", info_min_time="1681397400.000000000", info_search_time="1681403928.852095000", lastTime="2023-04-13T15:24:18", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="3148", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="SYSTEM"
1681400333, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1218.014", annotations._all="T1543.003", annotations._all="T1047", annotations._all="T1021", annotations._all="Source:Endpoint", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T13:50:44", info_max_time="1681397400.000000000", info_min_time="1681393800.000000000", info_search_time="1681400329.270191000", lastTime="2023-04-13T14:45:48", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681396733, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1059.001", annotations._all="Active Directory Lateral Movement", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T12:50:35", info_max_time="1681393800.000000000", info_min_time="1681390200.000000000", info_search_time="1681396728.870988000", lastTime="2023-04-13T13:45:42", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681393133, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Stage:Lateral Movement", annotations._all="Exploitation", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1021.006", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T11:50:27", info_max_time="1681390200.000000000", info_min_time="1681386600.000000000", info_search_time="1681393129.540606000", lastTime="2023-04-13T12:45:34", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681389533, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="T1021", annotations._all="T1053.005", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T10:50:21", info_max_time="1681386600.000000000", info_min_time="1681383000.000000000", info_search_time="1681389528.970503000", lastTime="2023-04-13T11:45:27", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681385933, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T09:50:12", info_max_time="1681383000.000000000", info_min_time="1681379400.000000000", info_search_time="1681385928.782840000", lastTime="2023-04-13T10:45:19", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681382334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Stage:Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T08:50:05", info_max_time="1681379400.000000000", info_min_time="1681375800.000000000", info_search_time="1681382328.738193000", lastTime="2023-04-13T09:45:11", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681378734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="T1047", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="Source:Endpoint", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="11", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T07:54:58", info_max_time="1681375800.000000000", info_min_time="1681372200.000000000", info_search_time="1681378728.957905000", lastTime="2023-04-13T08:45:04", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681375134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1059.001", annotations._all="Hermetic Wiper", annotations._all="Source:Endpoint", annotations._all="Malicious PowerShell", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T06:54:51", info_max_time="1681372200.000000000", info_min_time="1681368600.000000000", info_search_time="1681375129.131619000", lastTime="2023-04-13T07:49:57", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681371534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="T1543.003", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T05:54:45", info_max_time="1681368600.000000000", info_min_time="1681365000.000000000", info_search_time="1681371528.885546000", lastTime="2023-04-13T06:49:51", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681367934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1047", annotations._all="Source:Endpoint", annotations._all="T1021", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T04:54:37", info_max_time="1681365000.000000000", info_min_time="1681361400.000000000", info_search_time="1681367929.210715000", lastTime="2023-04-13T05:49:44", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681364335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="Stage:Lateral Movement", annotations._all="T1218.014", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T03:54:29", info_max_time="1681361400.000000000", info_min_time="1681357800.000000000", info_search_time="1681364329.719010000", lastTime="2023-04-13T04:49:36", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681360734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T02:54:20", info_max_time="1681357800.000000000", info_min_time="1681354200.000000000", info_search_time="1681360729.201803000", lastTime="2023-04-13T03:49:28", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681357134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="T1218.014", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="Stage:Lateral Movement", annotations._all="T1021.006", annotations._all="T1543.003", annotations._all="T1059.001", annotations._all="T1047", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T01:54:13", info_max_time="1681354200.000000000", info_min_time="1681350600.000000000", info_search_time="1681357128.870260000", lastTime="2023-04-13T02:49:20", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681353534, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1021.006", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1021.003", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Source:Endpoint", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-13T00:54:05", info_max_time="1681350600.000000000", info_min_time="1681347000.000000000", info_search_time="1681353528.944194000", lastTime="2023-04-13T01:49:12", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681349934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="Active Directory Lateral Movement", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="T1021", annotations._all="T1047", annotations._all="Exploitation", annotations._all="T1543.003", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T23:53:56", info_max_time="1681347000.000000000", info_min_time="1681343400.000000000", info_search_time="1681349928.835413000", lastTime="2023-04-13T00:49:04", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681346335, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="T1053.005", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1021.003", annotations._all="T1021", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Stage:Lateral Movement", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T22:53:49", info_max_time="1681343400.000000000", info_min_time="1681339800.000000000", info_search_time="1681346329.701329000", lastTime="2023-04-12T23:48:55", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681342734, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1053.005", annotations._all="T1021", annotations._all="Exploitation", annotations._all="T1047", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Hermetic Wiper", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T21:53:43", info_max_time="1681339800.000000000", info_min_time="1681336200.000000000", info_search_time="1681342729.473139000", lastTime="2023-04-12T22:48:49", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681339134, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1021", annotations._all="T1059.001", annotations._all="Stage:Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="Exploitation", annotations._all="Active Directory Lateral Movement", annotations._all="T1047", annotations._all="T1053.005", annotations._all="Hermetic Wiper", annotations._all="T1218.014", annotations._all="T1021.003", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T20:53:34", info_max_time="1681336200.000000000", info_min_time="1681332600.000000000", info_search_time="1681339128.916353000", lastTime="2023-04-12T21:48:41", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681336295, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="SamSam Ransomware", annotations._all="T1021.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 13", annotations._all="DE.AE", annotations._all="Ryuk Ransomware", annotations._all="Hidden Cobra Malware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="8", dest="10.0.1.15", dest_port="3389", firstTime="2023-04-12T20:13:21", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681336290.052459000", lastTime="2023-04-12T20:15:32", risk_message="tbd", risk_object="10.0.1.15", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681329600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681329600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Windows Registry Abuse", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="Brute Ratel C4", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:20", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681336285.669421000", lastTime="2023-04-12T20:15:21", parent_process="unknown", parent_process_name="lsass.exe", process="unknown", process_guid="{2897A50F-1254-6434-0A00-00000000C902}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681336295, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="SamSam Ransomware", annotations._all="T1021.001", annotations._all="T1021", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 13", annotations._all="DE.AE", annotations._all="Ryuk Ransomware", annotations._all="Hidden Cobra Malware", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="2", dest="10.0.1.14", dest_port="3389", firstTime="2023-04-12T20:15:14", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681336290.052459000", lastTime="2023-04-12T20:15:18", risk_message="tbd", risk_object="10.0.1.14", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681329600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681329600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Windows Registry Abuse", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="Brute Ratel C4", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:19", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681336285.669421000", lastTime="2023-04-12T20:15:36", parent_process="unknown", parent_process_name="aurora-agent.exe", process="unknown", process_guid="{2897A50F-1254-6434-0A00-00000000C902}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681329600, search_name="ESCU - Windows Service Creation Using Registry Entry - Rule", orig_time="1681329600", analyticstories="Active Directory Lateral Movement", analyticstories="Brute Ratel C4", analyticstories="Suspicious Windows Registry Activities", analyticstories="Windows Persistence Techniques", analyticstories="Windows Registry Abuse", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Suspicious Windows Registry Activities\", \"Windows Persistence Techniques\", \"Windows Registry Abuse\", \"Brute Ratel C4\"], \"cis20\": [\"CIS 10\"], \"confidence\": 80, \"impact\": 80, \"mitre_attack\": [\"T1574.011\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1574.011", annotations._all="Windows Registry Abuse", annotations._all="Windows Persistence Techniques", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Active Directory Lateral Movement", annotations._all="Brute Ratel C4", annotations._all="Suspicious Windows Registry Activities", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Suspicious Windows Registry Activities", annotations.analytic_story="Windows Persistence Techniques", annotations.analytic_story="Windows Registry Abuse", annotations.analytic_story="Brute Ratel C4", annotations.cis20="CIS 10", annotations.mitre_attack="T1574.011", annotations.nist="DE.CM", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:21", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681336285.669421000", lastTime="2023-04-12T20:15:21", parent_process="unknown", parent_process_name="aurora-agent-util.exe", process="unknown", process_guid="{2897A50F-1254-6434-0A00-00000000C902}", process_name="services.exe", process_path="C:\\Windows\\system32\\services.exe", registry_key_name="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26", registry_path="HKLM\\System\\CurrentControlSet\\Services\\CDPUserSvc_71f6f26\\ImagePath", registry_value_data="C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup", registry_value_name="ImagePath", risk_message="A Windows Service was created on a endpoint from mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="64.0", savedsearch_description="This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", user="SYSTEM"
1681335783, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:39", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335778.141296000", lastTime="2023-04-12T20:15:39", parent_process="unknown", parent_process_id="784", process="unknown", process_id="4156", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681335783, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="T1053", annotations._all="Active Directory Lateral Movement", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:39", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335778.141296000", lastTime="2023-04-12T20:15:39", parent_process="unknown", parent_process_id="1240", process="unknown", process_id="4156", process_name="runonce.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681335535, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T19:53:25", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335529.203691000", lastTime="2023-04-12T20:48:32", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681335535, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T20:13:31", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335529.203691000", lastTime="2023-04-12T20:15:01", parent_process_id="692", parent_process_name="svchost.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681335535, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:39", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335529.203691000", lastTime="2023-04-12T20:15:39", parent_process_id="784", parent_process_name="svchost.exe", process="unknown", process_id="5184", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681335535, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:41", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335529.203691000", lastTime="2023-04-12T20:15:41", parent_process_id="1240", parent_process_name="svchost.exe", process="unknown", process_id="5184", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681335535, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1059.001", annotations._all="Source:Endpoint", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Exploitation", annotations._all="Malicious PowerShell", annotations._all="T1047", annotations._all="Stage:Lateral Movement", annotations._all="T1543.003", annotations._all="T1021.006", annotations._all="Active Directory Lateral Movement", annotations._all="T1021", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="3", dest="mswin-dc01.attackrange.local", firstTime="2023-04-12T20:15:48", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681335529.203691000", lastTime="2023-04-12T20:15:48", parent_process_id="1016", parent_process_name="svchost.exe", process="unknown", process_id="5184", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-dc01.attackrange.local", risk_object="mswin-dc01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681333730, search_name="ESCU - Mmc LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1021\", \"T1021.003\", \"T1218.014\"], \"nist\": [\"DE.CM\"]}", annotations._all="Active Directory Lateral Movement", annotations._all="T1218.014", annotations._all="T1021", annotations._all="T1021.003", annotations._all="DE.CM", annotations._all="CIS 10", annotations._all="Living Off The Land", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1218.014", annotations.nist="DE.CM", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T20:16:01", info_max_time="1681332600.000000000", info_min_time="1681329000.000000000", info_search_time="1681333723.314863000", lastTime="2023-04-12T20:16:01", parent_process="unknown", parent_process_id="1528", process="unknown", process_id="null", process_name="mmc.exe", risk_message="Mmc.exe spawned a LOLBAS process on mswin-server.attackrange.local.", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `mmc.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the DCOM protocol and the MMC20 COM object, the executed command is spawned as a child processs of `mmc.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of mmc.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="Administrator"
1681331934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T18:53:16", info_max_time="1681329000.000000000", info_min_time="1681325400.000000000", info_search_time="1681331929.639725000", lastTime="2023-04-12T19:48:24", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681331934, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._all="T1021.003", annotations._all="Hermetic Wiper", annotations._all="Malicious PowerShell", annotations._all="Active Directory Lateral Movement", annotations._all="T1059.001", annotations._all="T1021.006", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T19:16:11", info_max_time="1681329000.000000000", info_min_time="1681325400.000000000", info_search_time="1681331929.639725000", lastTime="2023-04-12T19:16:11", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681329098, search_name="ESCU - Remote Desktop Network Traffic - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hidden Cobra Malware", analyticstories="Ryuk Ransomware", analyticstories="SamSam Ransomware", annotations="{\"analytic_story\": [\"SamSam Ransomware\", \"Ryuk Ransomware\", \"Hidden Cobra Malware\", \"Active Directory Lateral Movement\"], \"cis20\": [\"CIS 13\"], \"confidence\": 50, \"impact\": 50, \"mitre_attack\": [\"T1021.001\", \"T1021\"], \"nist\": [\"DE.AE\"]}", annotations._all="Hidden Cobra Malware", annotations._all="Ryuk Ransomware", annotations._all="Active Directory Lateral Movement", annotations._all="SamSam Ransomware", annotations._all="T1021.001", annotations._all="T1021", annotations._all="CIS 13", annotations._all="DE.AE", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="SamSam Ransomware", annotations.analytic_story="Ryuk Ransomware", annotations.analytic_story="Hidden Cobra Malware", annotations.analytic_story="Active Directory Lateral Movement", annotations.cis20="CIS 13", annotations.mitre_attack="T1021.001", annotations.mitre_attack="T1021", annotations.nist="DE.AE", count="1", dest="10.0.1.17", dest_port="3389", firstTime="2023-04-12T18:24:16", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681329091.091587000", lastTime="2023-04-12T18:24:16", risk_message="tbd", risk_object="10.0.1.17", risk_object_type="system", risk_score="25.0", savedsearch_description="This search looks for network traffic on TCP/3389, the default port used by remote desktop. While remote desktop traffic is not uncommon on a network, it is usually associated with known hosts. This search will ignore common RDP sources and common RDP destinations so you can focus on the uncommon uses of remote desktop on your network.", src="65.129.9.178"
1681328582, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 60, \"impact\": 90, \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"nist\": [\"DE.CM\"]}", annotations._all="CIS 10", annotations._all="DE.CM", annotations._all="Living Off The Land", annotations._all="T1053.005", annotations._all="T1053", annotations._all="Active Directory Lateral Movement", annotations._frameworks="analytic_story", annotations._frameworks="cis20", annotations._frameworks="mitre_attack", annotations._frameworks="nist", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 10", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", annotations.nist="DE.CM", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:24:19", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328578.166217000", lastTime="2023-04-12T18:24:19", parent_process="unknown", parent_process_id="680", process="unknown", process_id="3996", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:30:37", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:30:37", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4648", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:30:37", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:30:37", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="4648", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:24:19", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:24:19", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4596", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:32:01", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:32:01", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="4472", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:32:02", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:32:02", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="4472", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:31:23", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:31:23", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3828", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:31:23", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:31:23", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3828", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:30:47", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:30:47", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3348", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:30:48", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:30:48", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3348", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:26:41", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:26:41", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="3164", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:26:42", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:26:42", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="3164", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:24:19", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:24:19", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="2328", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:31:28", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:31:28", parent_process_id="680", parent_process_name="svchost.exe", process="unknown", process_id="1960", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="mswin-server.attackrange.local", firstTime="2023-04-12T18:31:28", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:31:28", parent_process_id="1148", parent_process_name="svchost.exe", process="unknown", process_id="1960", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-server.attackrange.local", risk_object="mswin-server.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681328334, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Hermetic Wiper", annotations._all="T1021.006", annotations._all="Stage:Lateral Movement", annotations._all="T1021.003", annotations._all="T1053.005", annotations._all="T1021", annotations._all="T1047", annotations._all="T1218.014", annotations._all="Active Directory Lateral Movement", annotations._all="Malicious PowerShell", annotations._all="T1059.001", annotations._all="T1543.003", annotations._all="Source:Endpoint", annotations._all="Exploitation", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T17:53:08", info_max_time="1681325400.000000000", info_min_time="1681321800.000000000", info_search_time="1681328329.499701000", lastTime="2023-04-12T18:48:17", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681324735, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T16:53:01", info_max_time="1681321800.000000000", info_min_time="1681318200.000000000", info_search_time="1681324729.606110000", lastTime="2023-04-12T17:48:09", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681324735, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="Malicious PowerShell", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="T1543.003", annotations._all="Exploitation", annotations._all="Source:Endpoint", annotations._all="Active Directory Lateral Movement", annotations._all="Hermetic Wiper", annotations._all="T1053.005", annotations._all="T1059.001", annotations._all="T1218.014", annotations._all="Stage:Lateral Movement", annotations._all="T1047", annotations._all="T1021", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="7", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:56:08", info_max_time="1681321800.000000000", info_min_time="1681318200.000000000", info_search_time="1681324729.606110000", lastTime="2023-04-12T16:56:08", parent_process_id="4220", parent_process_name="wmiprvse.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="12", dest="mswin-exch01.attackrange.local", firstTime="2023-04-12T15:52:53", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:48:01", parent_process_id="3736", parent_process_name="wmiprvse.exe", process="unknown", process_id="15320", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on mswin-exch01.attackrange.local", risk_object="mswin-exch01.attackrange.local", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:17:57", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:17:57", parent_process_id="928", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="6", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:17:57", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:20:14", parent_process_id="800", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="2", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:17:57", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:17:57", parent_process_id="1848", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="4", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:18:18", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:35:59", parent_process_id="1832", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="1", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:20:14", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:20:14", parent_process_id="1756", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="unknown"
1681321135, search_name="ESCU - Possible Lateral Movement PowerShell Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Hermetic Wiper", analyticstories="Malicious PowerShell", annotations="{\"analytic_story\":[\"Hermetic Wiper\",\"Active Directory Lateral Movement\",\"Malicious PowerShell\"],\"confidence\":50,\"context\":[\"Source:Endpoint\",\"Stage:Lateral Movement\"],\"impact\":90,\"kill_chain_phases\":[\"Exploitation\"],\"mitre_attack\":[\"T1021\",\"T1021.003\",\"T1021.006\",\"T1047\",\"T1053.005\",\"T1543.003\",\"T1059.001\",\"T1218.014\"]}", annotations._all="T1543.003", annotations._all="T1053.005", annotations._all="Stage:Lateral Movement", annotations._all="Active Directory Lateral Movement", annotations._all="Exploitation", annotations._all="T1021", annotations._all="T1218.014", annotations._all="T1021.006", annotations._all="T1021.003", annotations._all="Source:Endpoint", annotations._all="T1047", annotations._all="T1059.001", annotations._all="Malicious PowerShell", annotations._all="Hermetic Wiper", annotations._frameworks="analytic_story", annotations._frameworks="context", annotations._frameworks="kill_chain_phases", annotations._frameworks="mitre_attack", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Malicious PowerShell", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1021", annotations.mitre_attack="T1021.003", annotations.mitre_attack="T1021.006", annotations.mitre_attack="T1047", annotations.mitre_attack="T1053.005", annotations.mitre_attack="T1543.003", annotations.mitre_attack="T1059.001", annotations.mitre_attack="T1218.014", count="25", dest="DESKTOP-92OQLA1", firstTime="2023-04-12T16:18:00", info_max_time="1681318200.000000000", info_min_time="1681314600.000000000", info_search_time="1681321129.516432000", lastTime="2023-04-12T16:21:33", parent_process_id="6044", parent_process_name="svchost.exe", process="unknown", process_id="1708", process_name="powershell.exe", risk_message="A PowerShell process was spawned as a child process of typically abused processes on DESKTOP-92OQLA1", risk_object="DESKTOP-92OQLA1", risk_object_type="system", risk_score="45.0", savedsearch_description="The following analytic assists with identifying a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement techniques including `services.exe`, `wmiprsve.exe`, `svchost.exe`, `wsmprovhost.exe` and `mmc.exe`. Legitimate Windows features such as the Service Control Manager, Windows Management Instrumentation, Task Scheduler, Windows Remote Management and the DCOM protocol can be abused to start a process on a remote endpoint. Looking for PowerShell spawned out of this processes may reveal a lateral movement attack. Red Teams and adversaries alike may abuse these services during a breach for lateral movement and remote code execution.", user="Michael Haag"